On Tue, Sep 07, 2004 at 01:57:37PM -0700, Steve G wrote: > >The problem is that during the transaction, httpd-suexec (which got pulled > >in as a dependency) got installed first, outputting the message "apache > >group doesn't exist, using root"... BAD! > > Really bad. I would think this bug needs fast attention. If you download a > package from a 3rd party that has buffer overflows and is setgid, you now have a > buggy program with buffer overflows running as root. Any setgid installation that > fails should never revert to root, it should fail immediately and let the admin > take care of it. Not sure about that - it should certainly not set the setuid bit, but its probably easier for the admin if it still installs it. > Was this filed in bugzilla? Ditto Q: and bug id ?
