Re: Bug#4051: access permissions for /usr/bin/fdmount
Ian Jackson writes:
>
> Damn, it looks like my comment
> Before anyone changes anything, please read the appropriate part of
> the new policy manual.
> went unheeded. I see that the change that Daniel Quinlan requested
Oops.
> has been made. It's a shame that I didn't get around to writing this
> more detailed response to the situation sooner.
Yes, I waited for some time without getting one reply.
> There is nothing wrong with having an executable mode 4754 setuid
> root, owned by some particular group. This is the right way to solve
> this problem.
Aynway the file was in the wrong group.
> Compiling names of groups or even worse group ids into binaries is a
> bad idea.
Why? Because it's not easy to change? I talked to Alain (upstream
maintainer) about my changes and he's going to included them into 4.4. I
don't see the problem right now, since you're able to put everyone in group
floppy who shall be able to use fdmount. On the other hand this group coding
(which is ifdef'ed btw so it's not much work to create a new version) adds
security. How many systems have wrong permissions on some files? In
particular a file with s.bit should be as secure as possible IMHO.
> I'm going to reopen this bug report. Sorry, Michael Meskes (but you
> should have heeded my warning).
No problem Ian. But then I'm not so sure if it's a bug now.
Michael
--
Michael Meskes | _____ ________ __ ____
meskes@informatik.rwth-aachen.de | / ___// ____/ // / / __ \___ __________
meskes@sanet.de | \__ \/ /_ / // /_/ /_/ / _ \/ ___/ ___/
meskes@debian.org | ___/ / __/ /__ __/\__, / __/ / (__ )
Use Debian Linux! | /____/_/ /_/ /____/\___/_/ /____/
Reply to: