Re: transition from suidmanager to dpkg-statoverride

[Joey Hess <joeyh@debian.org>]

>   Following the discussion,
> 
>   I'm not sure I understood everything so one question:
>     I'm building a package that embeds a suid file. This file needs to
>     have 6755 permissions and belongs to the foo.foo . However, the Policy
>     mentions that executables must be 4755 (suid).

"Setuid and setgid executables should be mode 4755 or 2755 respectively"

I think you're reading policy in an overly formal and legalistic manner.
Policy describes current best practice of the Debian project. It is
written by humans, who may not even speak English as their first
language, and who typically do not speak with high precision. So if
policy says "setuid and setgid executables should be mode 4755 or 2755
respectively", the correct thing to do is think _why_ is it saying that?
The remainer of the paragraph provides a powerful clue:

                                                        [...] They should
     not be made unreadable (modes like 4711 or 2711 or even 4111); doing
     so achieves no extra security, because anyone can find the binary in
     the freely available Debian package--it is merely inconvenient.  For
     the same reason you should not restrict read or execute permissions on
     non-set-id executables.

The first sentence of section 4.9 is an even better clue perhaps.

-- 
see shy jo, who has a package with a 6755 executable, and is confident it
            does not violate policy