[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

debmake security changed:

As a result of the recent discussion I have done some changes to debmake.
I hope this is satisfactory to all parties:

(A part of the README.debian in 1.91 follows)

Suid Wrappers

debmake comes with suidwrappers (the above mentioned "build" and "debpkg") 
that make life easier for you. These suidwrappers are doing filtering of
environment variables, setting a secure searchpath and only allow certain
commands to be executed.  Processing Makefiles is inherently dangerous
though since almost any UNIX command can be executed. Thus these
suidwrappers are disabled after installation or an upgrade of debmake.
Otherwise you might activate something that is a security problem for your
particular setup. 

You can either invoke these wrappers from "sudo" or
"super" or any other way you have to control superuser access
set them up to be accessible from a group of users (Some people suggest
that this is highly dangerous since it creates another executable that
runs with the Superuser bit set and which wont ask you ever for a
password!) by issuing the following command:

      chmod 4750 /usr/bin/{build,debpkg}

after each upgrade. This will enable access to the suidwrappers for all
users who are members of the group "root". If you would like another group
to determine who has access to these wrappers then change the group
ownership of these files.

Christoph Lameter <clameter@waterf.org>

--- +++ --- +++ --- +++ --- +++ --- +++ --- +++ --- +++ ---
PGP Public Key  =  FB 9B 31 21 04 1E 3A 33  C7 62 2F C0 CD 81 CA B5 

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to: