Re: SVGAlib suid binaries?
Joe Drew <hoserhead@woot.net> writes:
> On Mon, Oct 25, 1999 at 11:27:32PM +0200, Goswin Brederlow wrote:
> > > Instead of this, though, which could be a problem, I included a script, based
> > > on one in gnuplot, which will configure the suid bit-ness of lsdoom, the svgalib
> > > executable.
> >
> > Hmm, I might file a bug against that. Interactive installation realy
> > sucks and it will bann lsdoom from my demo-fs packages as a possible
> > game to include. Patching it back to noninteractive is work. :(
>
> It's no problem to make it non-interactive, or default to SUID, but
> IMHO that's far worse a bug than asking the user what they want in the
> beginning. LxDoom is a /game/, and as such making it run as root
> could leave a system wide open.
>
> > If you have two binaries, make the svga setuid by default. Noone will
> > install it to not let the users use it.
>
> This is true; a large **WARNING** on postinst (no prompting though) could
> be enough. (Along with a note in the package description.) I'll see what
> the reaction to the initial package is, though.
The warning is in the svga package I think or should be. A svga in the
name of a package should be warning enough, but feel free to add a big
WARNING to the postinst. Admins using svga lib should know what they
do, that my point of view.
Anyway a big warning is probably the best compromise between warning
the unknowing and not getting on the nerves of the not careing. :)
May the Source be with you.
Goswin
PS: Why doesn´t dpkg has a logfile for such stuff, it should be
recorded during installation and shown afterwards.
Reply to: