Re: transition from suidmanager to dpkg-statoverride
> Following the discussion,
>
> I'm not sure I understood everything so one question:
> I'm building a package that embeds a suid file. This file needs to
> have 6755 permissions and belongs to the foo.foo . However, the Policy
> mentions that executables must be 4755 (suid).
"Setuid and setgid executables should be mode 4755 or 2755 respectively"
I think you're reading policy in an overly formal and legalistic manner.
Policy describes current best practice of the Debian project. It is
written by humans, who may not even speak English as their first
language, and who typically do not speak with high precision. So if
policy says "setuid and setgid executables should be mode 4755 or 2755
respectively", the correct thing to do is think _why_ is it saying that?
The remainer of the paragraph provides a powerful clue:
[...] They should
not be made unreadable (modes like 4711 or 2711 or even 4111); doing
so achieves no extra security, because anyone can find the binary in
the freely available Debian package--it is merely inconvenient. For
the same reason you should not restrict read or execute permissions on
non-set-id executables.
The first sentence of section 4.9 is an even better clue perhaps.
--
see shy jo, who has a package with a 6755 executable, and is confident it
does not violate policy
Reply to: