[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: setuid/setgid binaries contained in the Debian repository.



Steve Kemp wrote:
>   A long time ago[1] I asked if there was a list of all the setuid/setgid
>  binaries contained in the previous Debian stable release. 
> 
>   As there still isn't such a list I've created one and placed it online
>  with a simple search form.
> 
>   (This is the list that my recent spate of bug reporting has been
>  based upon).
>  
>  	http://www.steve.org.uk/cgi-bin/debian/index.cgi

I'd like to see us move all of our setgid games (except, perhaps,
nethack) away from using global score files by default. After several
bad experiences with xbl (DSA-345, DSA-327)), I suggested to its author
that it be changed to use a score file in the player's home directory.
We ended up making it do that by default, but letting it use a global
score file if it is locally made setgid since it's been pretty well
audited by now. Anyway, the point is that most games need a global score
file like I need a third ear -- maybe useful from time to time[1], but
normally just one more thing to worry about. I plan to go through the
rest of the games I maintain and make similar changes.

I also think it would be a good idea for policy to require all
setuid/gid bit grants to go through this or another list for peer
review, much as pre-depends are supposed to.

-- 
see shy jo

[1] Multi-user game machines are not as common as they once were.

Attachment: pgpIAHvzf5hQA.pgp
Description: PGP signature


Reply to: