Re: debmake suid programs

To: Christoph Lameter <clameter@waterf.org>
Cc: debian-devel@lists.debian.org
Subject: Re: debmake suid programs
From: "Larry 'Daffy' Daffner" <vizzie@airmail.net>
Date: Thu, 07 Nov 1996 20:43:10 -0600
Message-id: <199611080243.UAA00984@pinky.mimosa.org>
Reply-to: vizzie@airmail.net
In-reply-to: Message from Christoph Lameter <clameter@waterf.org> of "Thu, 07 Nov 1996 06:55:50 PST." <Pine.LNX.3.95.961107064046.3406B-100000@waterf.org>

Christoph Lameter writes:

-> 2. Thus every person needing to build a package needs to have full
->    superuser access.

Absolutely not!  The whole point of programs such as super and sudo is
that you can configure root access.  So, you can allow very specific
superuser access expressly for building packages.

-> 3. The permanent need to type superuser password and to issue superuser
->    commands is something that is really bothering me. I want the time
->    that I spend at the superuser prompt be as minimal as possible. I know
->    I can make bad mistakes at that point.

You can use the -r switch to dpkg-buildpackage to tell it what program
to use to get superuser access ONLY when needed. (ie, for the clean
and the actual package build)

-> 4. Since every person needing to build a package already MUST have full 
->    access to superuser priviledges it is reasonable to put those users
->    into a group (debmake uses root) and structure/simplyfy the access to
->    avoid "accidents" by issuing commands that might have unintended
->    consequences.

Not only are the assumptions wrong (see 2), group root already has
special meanings associated, and it's not fair to assume that your
suid wrappers can take over the meaning of that group.

-> 5. The wrappers are only accessible to those persons with group membership
->    in root and they only execute commands necessary for building a package
->    with due considerations of all the percularities of the dpkg tools
->    minimizing the superuser environment created.

"My program can't have any bugs".  Many programmers have thought so,
and many of them have been wrong.  It doesn't make sense to create new
suid tools to do what other, tested and well-used, tools can do
already.

-> 6. The build, debclean and debpkg wrappers help to simplify things that
->    a develop does again and again and again. It is a great help to develop
->    packages and thus a important part of debmake.

Then make them non-suid and allow the sysadmin to provide for the
appropriate people to allow sudo to execute only those tools.  Every
suid program on the system is another opportunity for a security
hole. There is no sense in creating obligatory suid tools.

-Larry

--
  Larry Daffner        |  Linux: Unleash the workstation in your PC!
  vizzie@airmail.net / http://web2.airmail.net/vizzie/
	The universe is full of magical things, patiently waiting 
	for our wits to grow sharper.  --Eden Phillpots

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to:

References:
- debmake suid programs
  - From: Christoph Lameter <clameter@waterf.org>

Prev by Date: Bug#821: Patch for /bin/echo: check write error
Next by Date: Bug#5323: dpkg-ftp fails after /var/lib/dpkg/methods/ftp/debian is removed.
Previous by thread: Re: debmake suid programs
Next by thread: Re: debmake suid programs
Index(es):
- Date
- Thread