Re: Policy question

To: phouchg@cif.rochester.edu (Jonathan P Tomer)
Cc: jgoerzen@complete.org, debian-policy@lists.debian.org
Subject: Re: Policy question
From: jdg@maths.qmw.ac.uk (Julian Gilbey)
Date: Mon, 1 Feb 1999 23:41:09 +0000 (GMT)
Message-id: <[🔎] m107Sxp-000ImxC@polya>
In-reply-to: <[🔎] 199902012000.PAA01333@roundtable.cif.rochester.edu> from Jonathan P Tomer at "Feb 1, 1999 3: 0:26 pm"

> the debian policy states that you shouldn't make suid programs unreadable to
> the world; the idea behind ever doing such a thing on nonfree systems is
> that the program may have security holes that could be exploited by users
> that examined the program carefully.  the policy tells you not to do thes
> because the world can read the file in question anyway by getting the free
> package directly.  however, making a directory unreadable/executable to
> the world serves a different purpose, that is, restricting setuid execute
> permission (albeit in a very roundabout way due to the flaw in unix that
> a program can only set {u,g}id to its owner/group).  people who do not have
> root privlige on the system can *not* simply download the package themselves
> to bypass the security, since they can not make the program setuid
> listar.  therefore i think that if it is really necessary to make a file
> setgid to one group and give another group permission to run it (i agree
> with jules that this is ugly, and should be replaced by a full-time daemon
> that will only communicate with an mta) then making a directory un-enterable
> is acceptable.

An example of a package which already does almost exactly the same is
the secure-su package, which diverts the standard su to
/bin/su.orig/su or something like that, making /bin/su.orig mode 700,
so that noone except for root has access to the non-enhanced version
of su.  This seems to be acceptable.  Maybe there is some way for the
listar program to be setuid root, and the first thing it does is to
check that it has been called legally (i.e., the real UID is daemon,
or whatever, and then to set the {r,e}gid to listar followed by the
{r,e}uid to listar before doing anything else).  Get a security expert
to check out this idea first, of course -- I don't claim any real
expertise in this field yet.

   Julian

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

            Julian Gilbey             Email: J.D.Gilbey@qmw.ac.uk
       Dept of Mathematical Sciences, Queen Mary & Westfield College,
                  Mile End Road, London E1 4NS, ENGLAND
      -*- Finger jdg@goedel.maths.qmw.ac.uk for my PGP public key. -*-

Reply to:

Follow-Ups:
- Re: Policy question
  - From: John Goerzen <jgoerzen@complete.org>

References:
- Re: Policy question
  - From: Jonathan P Tomer <phouchg@cif.rochester.edu>

Prev by Date: Bug#31946: AMENDMENT] Adding dpkg-architecture to Packaging Manual
Next by Date: Re: Policy question
Previous by thread: Re: Policy question
Next by thread: Re: Policy question
Index(es):
- Date
- Thread