Re: Setuid

To: ian@chiark.greenend.org.uk (Ian Jackson)
Cc: debian-devel@lists.debian.org (Debian Development)
Subject: Re: Setuid
From: Michael Meskes <meskes@Informatik.RWTH-Aachen.DE>
Date: Fri, 15 Nov 1996 09:48:35 +0100 (MET)
Message-id: <199611150848.JAA16343@feivel.topsystem.de>
In-reply-to: <m0vOG74-0004O4C@chiark.greenend.org.uk> from "Ian Jackson" at Nov 15, 96 04:42:00 am

Ian Jackson writes:
> 
> I propose that we institute a stricter policy regarding setuid-root
> code.

Absolutely agreed.

> Some requirements I think might be useful, individually or in
> combination would be:
> 
> * Code must have been written with the intent that it would be setuid.

Definitely.

> * Code must be reasonably widely-used in the world at large.

Wait a moment. That would mean we cannot include a new piece of software
that is written to be setuid just because no one used it before.

> * Code must be reviewed (possible alternative to widespread use?)

Not a bad idea.

> * Approval required by a security-conscious person that conditions
> have been met.

Almost the same as above, isn't it?

Michael

-- 
Michael Meskes                   |    _____ ________ __  ____
meskes@informatik.rwth-aachen.de |   / ___// ____/ // / / __ \___  __________
meskes@sanet.de                  |   \__ \/ /_  / // /_/ /_/ / _ \/ ___/ ___/
meskes@debian.org                |  ___/ / __/ /__  __/\__, /  __/ /  (__  )
Use Debian GNU/Linux!            | /____/_/      /_/  /____/\___/_/  /____/

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to:

References:
- Setuid
  - From: Ian Jackson <ian@chiark.greenend.org.uk>

Prev by Date: Re: Packages with Critial Bugs
Next by Date: How do I detect if a package is installed?
Previous by thread: Setuid
Next by thread: Re: Setuid
Index(es):
- Date
- Thread