Policy question
Hello all,
Section 4.9 of the Debian policy manual specifically permits deviance from
the defined behavior when necessary; however, I would like to discuss a
situation not contemplated by that section.
The situation is this. There is a mailing list management program that
needs to run setuid to its particular uid (created by adduser in postinst).
It also ought to run setgid to its particular gid (again, created by adduser
in postinst.) It is intended to be run only by a MTA, and as a security
precaution (since it is setuid/setgid), it is best not to let anyone execute
it (also, it would be very easy to forge messages that way.)
My curent solution is to have it owned by user listar, group daemon, mark it
setuid and group executable, with no user execute permissions. This is OK
(the MTA runs as group daemon), but the problem is that it cannot be setgid
to the appropriate gid in this situation.
The solution that I have come up with is to create a special directory in
its /usr/lib area:
drwxrwx--- listar.daemon restricted-executables/
Then, in there, have the binary:
-rwsrwsr-x listar.listar listar
How does that sound to everyone? This achieves appropriate security (only
executable by MTAs [technically, the daemon group]) but still stuid and
stgid appropriately. The downside is that the 4.9 doctrine is that people
should be given read access as much as possible, but that isn't really
possible here. The world-readable and -executable bits on the binary don't
make a different to others; they can't even get to that area.
Thanks,
John
Reply to: