Proposed policy on set-id programs

To: Debian developers list <debian-devel@lists.debian.org>
Subject: Proposed policy on set-id programs
From: Ian Jackson <ian@chiark.greenend.org.uk>
Date: Fri, 22 Nov 96 07:05 GMT
Message-id: <m0vQpff-0004O6C@chiark.greenend.org.uk>

Following my earlier message on this subject and the feedback, here is
a more concrete proposal for discussion.  What have I left out ?

Ian.

A Debian package may contain set-id programs only if approved by one
of the Debian security reviewer(s) who is satisfied that:

* If the program is set-gid (not set-uid) to a non-security-critical,
  non-core group such as games:
  - That this does not pose a significant risk to the remainder of the
    system.

* Otherwise:
  - That the program and its configuration have no outstanding
    critical security problems;
  AND
  - That the program was designed with being set-id in mind;
  AND
  - That the default configuration is secure, possibly erring on the
    side of restricting functionality rather than allowing holes.
  AND
  - That either
    + the program and its configuration has been subjected to a
      competent code review for security problems
    OR
    + it has been subjected to widespread use and testing either in
      the Linux community or elsewhere, in configurations that are
      similar to or believed less secure than that to be distributed.

* AND in any case:
  - That there is no reasonable solution to the problem available that
    doesn't require the program to be distributed set-id;
  AND
  - That the executable-only-by-group technique has been used if
    appropriate.

Here `it' is not just the program code itself, but also the way it is
configured, installed and documented.

The security reviewer(s) would be appointed by the project leader; I'd
expect there to be a handful of them.  Disagreements between them are
to be resolved by consensus if possible; if this fails or in any case
the project leader may (obviously) override them by fiat.

Packages in which security holes are found may be removed from the
distribution, have urgent updates distributed, and/or have other
necessary measures taken, at the discretion of any security reviewer
who makes a formal pronouncement on the subject.

--
Ian Jackson, at home.   ian@chiark.greenend.org.uk          + 44 1223 3 31579
General: ijackson@chiark.greenend.org.uk  Permanent: ijackson@gnu.ai.mit.edu
Churchill College, Cambridge, CB3 0DS.   http://www.cl.cam.ac.uk/users/iwj10/


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to:

Follow-Ups:
- Re: Proposed policy on set-id programs
  - From: David Frey <david@eos.lugs.ch>

Prev by Date: Re: The unanswered Question
Next by Date: Re: sudo not suitable for multi-machine systems
Previous by thread: Re: installation of suid binaries by dpkg &c.
Next by thread: Re: Proposed policy on set-id programs
Index(es):
- Date
- Thread