[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

(forw) Bug#298060: Please don't install login as setuid root

Security and release teams, may I have your advice about this suggestion?

As you may know, I currently act as maintainer for the shadow package,
but I'm also aware of my own weaknesses when it comes at security (and
security-related) issues so I prefer getting the advice of more
competent people.

Given that installing login non setuid has been blessed for Ubuntu,
I'm inclined to follow the suggestion, but doing so close to a release
is maybe not wise.....so I'm seeking for advices..:-)



----- Forwarded message from Martin Pitt <mpitt@debian.org> -----

Subject: Bug#298060: Please don't install login as setuid root
Reply-To: Martin Pitt <mpitt@debian.org>, 298060@bugs.debian.org
Date: Fri, 4 Mar 2005 12:39:11 +0100
From: Martin Pitt <mpitt@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>

Package: login
Version: 1:4.0.3-30.9
Severity: wishlist
Tags: patch

Hi!

/bin/login is currently installed setuid root, which is absolutely not
necessary and only a potential security threat. In Ubuntu we install
it as 0755 for ages now without any problems.

Trivial patch, but for the record:

  http://patches.ubuntu.com/patches/shadow.login-nosuid.diff

Please consider making this change for Debian, too.

Thanks,

Martin

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org



----- End forwarded message -----

--
Reply to: