Re: (forw) Bug#298060: Please don't install login as setuid root

To: Christian Perrier <bubulle@debian.org>
Cc: team@security.debian.org, debian-release@lists.debian.org, 298060@bugs.debian.org, 298060-submitter@bugs.debian.org
Subject: Re: (forw) Bug#298060: Please don't install login as setuid root
From: Steve Langasek <vorlon@debian.org>
Date: Sun, 6 Mar 2005 14:53:35 -0800
Message-id: <[🔎] 20050306225332.GB5566@mauritius.dodds.net>
Mail-followup-to: Christian Perrier <bubulle@debian.org>, team@security.debian.org, debian-release@lists.debian.org, 298060@bugs.debian.org, 298060-submitter@bugs.debian.org
In-reply-to: <[🔎] 20050305143458.GL7778@mykerinos.kheops.frmug.org>
References: <[🔎] 20050305143458.GL7778@mykerinos.kheops.frmug.org>

On Sat, Mar 05, 2005 at 03:34:58PM +0100, Christian Perrier wrote:
> Security and release teams, may I have your advice about this suggestion?

> As you may know, I currently act as maintainer for the shadow package,
> but I'm also aware of my own weaknesses when it comes at security (and
> security-related) issues so I prefer getting the advice of more
> competent people.

> Given that installing login non setuid has been blessed for Ubuntu,
> I'm inclined to follow the suggestion, but doing so close to a release
> is maybe not wise.....so I'm seeking for advices..:-)

Even when this feature was novel to me, I never found it useful.  I wouldn't
miss it, and obviously the security folks wouldn't; perhaps other people
may, so it's probably reasonable to let such a change age in unstable for a
bit to give them a chance to object and explain why this is actually useful
(since no one else can think of a reason).

-- 
Steve Langasek
postmodern programmer

> ----- Forwarded message from Martin Pitt <mpitt@debian.org> -----
> 
> Subject: Bug#298060: Please don't install login as setuid root
> Reply-To: Martin Pitt <mpitt@debian.org>, 298060@bugs.debian.org
> Date: Fri, 4 Mar 2005 12:39:11 +0100
> From: Martin Pitt <mpitt@debian.org>
> To: Debian Bug Tracking System <submit@bugs.debian.org>
> 
> Package: login
> Version: 1:4.0.3-30.9
> Severity: wishlist
> Tags: patch
> 
> Hi!
> 
> /bin/login is currently installed setuid root, which is absolutely not
> necessary and only a potential security threat. In Ubuntu we install
> it as 0755 for ages now without any problems.
> 
> Trivial patch, but for the record:
> 
>   http://patches.ubuntu.com/patches/shadow.login-nosuid.diff
> 
> Please consider making this change for Debian, too.
> 
> Thanks,
> 
> Martin
> 
> -- 
> Martin Pitt                       http://www.piware.de
> Ubuntu Developer            http://www.ubuntulinux.org
> Debian GNU/Linux Developer       http://www.debian.org
> 
> 
> 
> ----- End forwarded message -----
> 
> -- 
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-release-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: (forw) Bug#298060: Please don't install login as setuid root
  - From: Joey Hess <joeyh@debian.org>

References:
- (forw) Bug#298060: Please don't install login as setuid root
  - From: Christian Perrier <bubulle@debian.org>

Prev by Date: Re: buildd build order [Was: arm buildd holdup?]
Next by Date: Re: please requeue gnucash
Previous by thread: Re: (forw) Bug#298060: Please don't install login as setuid root
Next by thread: Re: (forw) Bug#298060: Please don't install login as setuid root
Index(es):
- Date
- Thread