[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#27050 (fdutils): A cause for security concern?

On Tue, Jan 19, 1999 at 05:16:01PM -0500, Avery Pennarun wrote:
> When the docs for a setuid program warn you "not to trust its security"
> then be afraid, be very afraid.  It shouldn't be automatically setuid in
> Debian until _some_ security-conscious person has audited it carefully.

On a related note, I recently had a relatively grave security concern with
the 'xzx' package (a ZX Spectrum emulator for X) - after it faulted one time
(can't remember what happened - I think it just stopped responding to
closing the window and using 100% CPU), I had a number of things go wrong -
I checked out the binary itself, and found it was suid root!

Now, the postinst (which sets the suid bit) never warned me about this, and
I can also see no reason for it to be suid root - it doesn't appear to give
up root priviledges once started (and contains file dialogs).

I'm not sure whether this violates policy or not (and thus whether to file a
bug against it) - but Policy does not require postinsts using
chmod/suidregister to give message or query, then perhaps it
needs to be added...

Robert Donn 

Reply to: