dpkg and setuid programs

To: debian-security@lists.debian.org
Subject: dpkg and setuid programs
From: Joe <joeis@ozmatrix.com.au>
Date: Fri, 28 Apr 2000 02:05:46 +1000 (EST)
Message-id: <[🔎] Pine.LNX.4.21.0004280153580.12290-100000@firefox.bloggs.org.au>

Hello all,

When installing programs with dpkg (and it's various frontends) you get no
warning when a setuid or setgid file is installed.  I would consider it
desirable behaviour of dpkg to alert the user who's installing the package
that it contains a setuid or setgid binary, the path of that binary, under
what effective user or group it runs  and it's md5 checksum.  I think that
this could increase the security of debian systems as it would result in
the person who installs the package being alerted to the fact that it (the
program he/she is installing) may introduce a security problem. Perhaps 
an interactive prompt (with an option to override this behaviour on the
command-line) which asks if you would like to continue with the
installation of the package even though it contains a setuid or setgid
program would be appropiate behavior.

Is there any reason that this hasn't been added to dpkg's code?  I don't
think that it would require a change in the format of .deb
packages.  Does anyone have any thoughts on this matter?

-------------
Joe Dollard
joeis@ozmatrix.com.au

Reply to:

Follow-Ups:
- Re: dpkg and setuid programs
  - From: Sergio Brandano <sb@dcs.qmw.ac.uk>
- Re: dpkg and setuid programs
  - From: Sergio Brandano <sb@dcs.qmw.ac.uk>
- Re: dpkg and setuid programs
  - From: Santiago Vila <sanvila@unex.es>
- Re: dpkg and setuid programs
  - From: Ethan Benson <erbenson@alaska.net>

Prev by Date: Re: Checksums on ftp
Next by Date: Re: Checksums on ftp
Previous by thread: Re: ipchains X ipfw compatibility
Next by thread: Re: dpkg and setuid programs
Index(es):
- Date
- Thread