Re: Trouble posting to debian-devel
On 2025-05-09 08:20, Boyuan Yang wrote:
Just a reminder: if you are trying to report a sensitive security
issue: DO NOT post on debian-devel or other public mailing lists
to avoid disclosing it to the public in an unwanted way.
Please contact Debian Security Team via security@debian.org .
If it is about some generic technical discussion, using debian-devel
is suitable.
So, my mail is definitely being blocked based on the content. I wont
name the specific package, but it involves running code as root that
does not need to be, because a systemd user unit is being started for
the root user. I really don't think hiding the details (in this
specific case) protects anybody, and honestly I think it reduces
everyone's safety.
The reason I want to post this to debian-devel is because I'd like to
discuss a generic approach to ensuring that systemd user units that
are inappropriate for privileged users to start.
In particular, I'm advocating for some systemd target that would
Conflicts= with units that would have ConditionUser=!root so that
administrators could easily prevent things like drkonqi from starting
in sensitive user sessions.
I'd also like to confirm there is a policy (or at least agreement)
that running code as root unnecessarily is a problem. I bring that
up because I'm concerned that the bug I filed may go ignored.
Best,
Antonio
Reply to: