Re: setuid/setgid binaries contained in the Debian repository.

To: debian-devel@lists.debian.org
Subject: Re: setuid/setgid binaries contained in the Debian repository.
From: Matt Zimmerman <mdz@debian.org>
Date: Mon, 4 Aug 2003 11:54:14 -0400
Message-id: <[🔎] 20030804155414.GF12452@alcor.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 87lluajf86.fsf@glaurung.green-gryphon.com>
References: <[🔎] 20030802011210.GA14970@dragon.kitenet.net> <[🔎] 87u190r7ur.fsf@glaurung.green-gryphon.com> <[🔎] 20030803155903.GE3030@dragon.kitenet.net> <[🔎] 87oez6n0vr.fsf@glaurung.green-gryphon.com> <[🔎] 20030803172413.GA6926@dragon.kitenet.net> <[🔎] 873cgilcnf.fsf@glaurung.green-gryphon.com> <[🔎] 20030803225334.GE896@dragon.kitenet.net> <[🔎] 87ptjmjlq5.fsf@glaurung.green-gryphon.com> <[🔎] 20030804023052.GC11590@dragon.kitenet.net> <[🔎] 87lluajf86.fsf@glaurung.green-gryphon.com>

On Sun, Aug 03, 2003 at 10:04:09PM -0500, Manoj Srivastava wrote:

>  I can easily code an entry for katie and friends that takes a new
>  package, and marks up the ones with setgid bits set -- and the ftp
>  maintainers do not create override entries until they see a consensus
>  develop, or the security team says ok.

You could, but it wouldn't be useful as a filter, because it would not
notice packages which set the permissions in postinst (as does every package
with a dynamic uid).

Note that this is NOT what was proposed.  While I think this might be a
useful methodology in the future, I do not think that it makes sense until
the review process has established itself in a less fascist manner.

> 	Are you saying that the review was not discussed as a gating
>  mechanism? If that is the case, then I admit I, for one, was fooled.
> 
> Message-ID: <[🔎] 20030801151852.GB15502@alcor.net>
> Message-ID: <[🔎] 20030801153312.GA23610@uk.intasys.com>
>  >> All set[ug]id setups should be reviewed before they go into the
>  >> archive. 

I do not understand how you logically reach "gating mechanism" from my
"should" above.  None of the other "should" statements in the policy manual
are interpreted this way.  How did I fool you?

-- 
 - mdz

Reply to:

References:
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Joey Hess <joeyh@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Joey Hess <joeyh@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Joey Hess <joeyh@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Joey Hess <joeyh@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Joey Hess <joeyh@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Manoj Srivastava <srivasta@debian.org>

Prev by Date: Re: libraries being removed from the archive
Next by Date: Re: libraries being removed from the archive
Previous by thread: Re: setuid/setgid binaries contained in the Debian repository.
Next by thread: Re: setuid/setgid binaries contained in the Debian repository.
Index(es):
- Date
- Thread