[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SUID binaries in the repo



> Thorsten Leemhuis wrote:
> > But we have other packages (I had two and still have one) that entered
> > the repo with SUID binaries that were never reviewed by anyone. Do we
> > care? Do we trust packagers (¹) enough to decide?
> 
> We should definitely make sure they get looked-at.  Copying bressers, 
> who might be able to help with drafting a plan.
> 

Yes, this should get some attention from someone.  There is no reason to
allow any app that wants it to have suid.  Things like consolehelper exist
for just this reason.

Within Red Hat I care for a suid whitelist.  If it's not on the list, I
have to be convinced that it should be.  It works rather well honestly.  It
would probably make sense to give this task to the Fedora Security Response
Team as it will be them cleaning up the mess after a "suid gone wild"
event.

-- 
    JB


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]