[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-statoverride vs. suidmanager

Domenico Andreoli wrote:
> what is a new release of suidmanager worked with/on statoverrides? every new
> package that needs to work with setuid et al could start directly with
> statoverrides, the old still would work with suidregister but this time
> leaving a coherent state in the statoverrides database since suidmanager
> now works with that database (i'm nearly not knowing anything of this topic
> but suidmanager suite).

Doesn't really work because suidregister requires that binaries be
shipped non-suid, and it may add the suid bit, while statoverrides allow
the binary to be suid in the .deb itself (this is a good thing, it makes
it easy to tell if some package has a suid file before installing it).

If new packages ship suid binaries and the old suidregister is being
used, there is a window where binaries will be suid even if the admin
has turned off those permissions, and we should not allow that.

see shy jo

Reply to: