Re: The unanswered Question
On Fri, 22 Nov 1996, Ian Jackson wrote:
ian >> Then change the policy. Both packages give instructions on how to change
ian >> the permission of binaries in order to gain functionality and thus violate
ian >> the policy.
ian >
ian >I feel we have a serious miscommunication here. What policy are you
ian >asking me to change ? Our policy on whether something should be
ian >setuid ? We don't have one at the moment, but at this rate we will
ian >have soon. At the moment we're just expecting maintainers to use
ian >common sense and caution.
Section 3.3 of the Policy Manual states:
Do not arrange that the system administrator can only reconfigure the
package to correspond to their local security policy by changing the
permissions on a binary. Ordinary files installed by dpkg (as opposed to
conffiles and other similar objects) have their permissions reset to the
distributed permissions when the package is reinstalled. Instead you
should consider (for example) creating a group for people allowed to use
the program(s) and making any setuid executables executable only by that
group.
--- +++ --- +++ --- +++ --- +++ --- +++ --- +++ --- +++ ---
PGP Public Key = FB 9B 31 21 04 1E 3A 33 C7 62 2F C0 CD 81 CA B5
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
Reply to: