[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debhelper: dh_fixperms should come after dh_suidregister (was: Re: setgid stuff)

On Sun, Nov 28, 1999 at 12:13:55PM +1100, Brian May wrote:
> My observation (nothing more/less, however, probably a good idea
> in general):
> 
> This means that it is the debian maintainer's decision to have a
> SetUID program, not the upstream maintainer (as dh_fixperms overrides
> anything set by the upstream Makefile).
> 
> At least, the Debian maintainer must be aware of programs that are
> SetUID.

It's a good point, and yes, a package maintainer *must* be aware of
every setuid/setgid program in their package.  Each one presents a
potential security risk, and must be checked out: which user/group
should this executable run as?  Does it really need to be
setuid/setgid?  And so on.  (For /bin/su the answer is yes, for
/usr/X11R6/bin/xlock, the answer would be no now that we have a
PAMified xlock.)

   Julian

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

  Julian Gilbey, Dept of Maths, QMW, Univ. of London. J.D.Gilbey@qmw.ac.uk
        Debian GNU/Linux Developer,  see http://www.debian.org/~jdg
Reply to: