Re: setuid/setgid binaries contained in the Debian repository.
On Sat, 2 Aug 2003 20:48:26 -0400, Matt Zimmerman <firstname.lastname@example.org> said:
>> This, sir, is a lie.
> This statement has very little meaning from you.
Then I think this discussion has reached the end of its useful
>> I did not call you disingenuous for asking for clarification, I
>> called you disingenuous for stating that setgidness of programs is
>> merely a packaging issue; and implying that program design and
>> implementation were not involved.
> To clarify yet again, the statement in question was "File
> permissions and program privileges are clearly a packaging matter."
> I never said it was "just" or "merely" a packaging issue, while you
> have tried to put both of those words in my mouth.
> Of course these issues have an effect on program design and
> implementation; so does nearly every other aspect of packaging. But
> it remains true that file permissions and program privileges are a
> matter of Debian policy, and a significant part of the packaging
> process for nontrivial programs.
> You had no excuse for accusing me of being disingenuous, and you
> have yet to retract this accusation.
Wrong again. Here is the context, that you are eliding:
>>>> You are now talking about putting things into policy that require
>>>> maintainerrs to change program behaviour to attain similar
>>>> functionality and features; and all the examples you quote are
>>>> about packaging details that are under our control completely.
I was concerned that making programs not setgid is not a
matter of adding a chown line in the rules file; that it needed
perhaps a deeper understanding and modification of the code; and that
this proposal differed from all other examples quoted.
With this background, you come up with "File permissions and
program privileges are clearly a packaging matter."
I stand by what I said.
> Earlier in this thread, Steve Kemp and I volunteered to be two of the people
> who will be reviewing these issues. I would assume that there are others
> reading debian-security who will have insight as well, but two is more than
> enough to do some good.
Given the last review of a setgid program, I wonder if two
people are enough. The mistake was simple, human, and undesrtandable,
but the review does not in fact talk about any flaws in the current
version of angband (tome does need to be so changed); and this kind
of error would undermine the process -- especially if the results are
couched in terms like those below:
>> Why do we need policy to tell us to do what you suggest are good,
>> common sense things?
> As the maintainer of a package containing a setgid program with a
> glaring security hole, perhaps you can tell me.
Perhaps more people would reduce the tensions and permit a
more, umm, civilized, and correct, audit to be performed?
"We have met the enemy and he is us" Walt Kelly (in POGO)
Manoj Srivastava <email@example.com> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C