Re: Suid Manager?
>
> I would like to have a suidmanager and every package that wants to install
> a suid binary needs to use a script provides by the suidmanager which can
> do site specific changes to the suid configuration. There should be a
> configuration file that lists all suid binaries (so the administrator can
> check up on them easily) and that would allow a administrator to simply
> edit that file to change settings. Those settings would then be kept
> across and update.
>
> Then dpkg could simply not allow generating packages containing setuid
> bits.
I would recommend expanding this to a s/uid/gid manager, with similar
semantics.
In another thread, we are discussing what to do about qmail wanting 7
dedicated UIDs and a GID. Ian Jackson wants to reserve UIDs 0-99 for
static, Debian distributed critical users, and dynamically alocate UIDs
in the range of 65000-65533 to packages that want multiple UIDs.
I like this solution, but it yields another problem.
I assume that qmail wants some files to be owned by these 7 users and 1
group, and some of those to be SUID and SGID. As I understand how dpkg
works, the files are unpacked before the users would be created, so
there is no guarantee that they will be installed with the right UIDs,
especially if the accounts are dynamically allocated.
However, by having a script as part of dpkg (or base-passwd) that sets
uids, gids, and modes of specified files based on a control file, a
package could do something as simple as give the command "fixperms
--package packagename" in its postinst script, and the fixperms script
would do the right thing based on the control file, creating the new
users and setting the proper ownership and modes.
I also think that it should be stated (and enforced, if possible)
policy that packages cannot modify the modes or owners of files they do
not own, nor can they set the UIDs and GIDs of files to users and
groups that are not installed either by base-passwd or by that package
itself.
>
> --- +++ --- +++ --- +++ --- +++ --- +++ --- +++ --- +++ ---
> PGP Public Key = FB 9B 31 21 04 1E 3A 33 C7 62 2F C0 CD 81 CA B5
>
> --
> TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
> debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
>
--
Buddha Buck bmbuck@acsu.buffalo.edu
"Just as the strength of the Internet is chaos, so the strength of our
liberty depends upon the chaos and cacaphony of the unfettered speech
the First Amendment protects." -- A.L.A. v. U.S. Dept. of Justice
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
Reply to: