[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: setuid/setgid binaries contained in the Debian repository.

On Thu, Jul 31, 2003 at 06:37:53PM +0100, Steve Kemp wrote:

> On Thu, Jul 31, 2003 at 12:55:28PM -0400, Joey Hess wrote:
> > I also think it would be a good idea for policy to require all
> > setuid/gid bit grants to go through this or another list for peer
> > review, much as pre-depends are supposed to.
>   I was thinking of approaching that problem a different way.
>   In the same way that apt-listchanges shows a packages changelog
>  at install time, I could see a script 'apt-listsetuid' which would
>  warn the admin at install time if any new setuid/setgid applications
>  were being installed.

I use checksecurity for this; it runs from cron (daily by default) and
notifies me whenever there is a change in the list of setuid and setgid
programs on the system.

 - mdz

Reply to: