Once upon a time, Horst H. von Brand <vonbrand@xxxxxxxxxxxx> said: > Chris Adams <cmadams@xxxxxxxxxx> wrote: > > Once upon a time, Adam Jackson <ajax@xxxxxxxxxx> said: > > > On 4/13/12 2:37 PM, Frank Ch. Eigler wrote: > > > > > > > >>[...] > > > >>If your package meets the following criteria you MUST enable the PIE > > > >>compiler > > > >>flags: > > > >>[...] > > > >> * Your package runs as root. > > > >>[...] > > > > > > > >If this is meant to cover administrative binaries that have no > > > >privilege escalation pieces of their own, merely run by root, then > > > >what makes them different from any other /bin/* program that a root > > > >process might invoke? > > > > > > It's not meant to cover that. That phrasing is meant to cover system > > > components like init that do not function _unless_ run as uid 0. > > > > How about adding an "only" to the sentence then, like: > > > > * Your package runs only as root. > > Nope. A program running as SGID games (or any other "different than the > user starting it" or "needs any special privileges") should be included > here. That is already not covered under the particular rule in question (I believe it was covered under another rule). I was only suggesting a clarification of the "runs as root" rule. -- Chris Adams <cmadams@xxxxxxxxxx> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
