Re: (forw) Bug#298060: Please don't install login as setuid root

To: Christian Perrier <bubulle@debian.org>
Cc: team@security.debian.org, debian-release@lists.debian.org, 298060@bugs.debian.org, 298060-submitter@bugs.debian.org
Subject: Re: (forw) Bug#298060: Please don't install login as setuid root
From: Martin Schulze <joey@infodrom.org>
Date: Mon, 7 Mar 2005 19:18:16 +0100
Message-id: <[🔎] 20050307181816.GW5330@finlandia.infodrom.north.de>
In-reply-to: <[🔎] 20050305143458.GL7778@mykerinos.kheops.frmug.org>
References: <[🔎] 20050305143458.GL7778@mykerinos.kheops.frmug.org>

Christian Perrier wrote:
> Security and release teams, may I have your advice about this suggestion?
> 
> As you may know, I currently act as maintainer for the shadow package,
> but I'm also aware of my own weaknesses when it comes at security (and
> security-related) issues so I prefer getting the advice of more
> competent people.
> 
> Given that installing login non setuid has been blessed for Ubuntu,
> I'm inclined to follow the suggestion, but doing so close to a release
> is maybe not wise.....so I'm seeking for advices..:-)

When no code needs to be changed but only the suid bit dropped
and login still works as expected, I don't see a reason not to
drop the setuid bit, even the contrary, I wonder why it is setuid
root in the first place.

Regards,

	Joey

-- 
If nothing changes, everything will remain the same.  -- Barne's Law

Please always Cc to me when replying to me on the lists.

Reply to:

References:
- (forw) Bug#298060: Please don't install login as setuid root
  - From: Christian Perrier <bubulle@debian.org>

Prev by Date: Re: Proposing stable PostgreSQL bugfixes
Next by Date: Re: please requeue gnucash
Previous by thread: Re: Bug#298060: (forw) Bug#298060: Please don't install login as setuid root
Next by thread: Re: bash, gcc-3.4, python-defaults and python2.3 for testing
Index(es):
- Date
- Thread