Re: Bug#27050 (fdutils): A cause for security concern?
On Tue, Jan 19, 1999 at 04:43:37PM -0500, Ben Collins wrote:
> On Tue, Jan 19, 1999 at 02:29:44PM -0700, Anthony Fok wrote:
> > As the Slink deep freeze and release are impending, I would like to ask
> > your advice: Should I follow the suggestion given by the bug reporter
> > Thomas Roessler? If so, should I fix this bug before Slink is out? I
> > am kind of busy with school now and would like to put it off till the
> > holiday, but if all of you experienced developers feel that it is
> > urgent, I will try to fix it before Slink is released.
> I would suggest making it sgid to group floppy, them make it mode 2754.
> There doesn't seem to be a need to have it suid root since /dev/fd? is
> writable by group floppy.
I don't think you can mount filesystems unless you're root.
> 1) Only people in group floppy will be able to execute it,
That's a useful feature, though. You could make it owned by root.floppy,
mode 1754. (There is no real need to make it setgid floppy in any case.)
When the docs for a setuid program warn you "not to trust its security"
then be afraid, be very afraid. It shouldn't be automatically setuid in
Debian until _some_ security-conscious person has audited it carefully.