Re: SUID binaries in the repo

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Thorsten Leemhuis wrote:
> > But we have other packages (I had two and still have one) that entered
> > the repo with SUID binaries that were never reviewed by anyone. Do we
> > care? Do we trust packagers (¹) enough to decide?
> 
> We should definitely make sure they get looked-at.  Copying bressers, 
> who might be able to help with drafting a plan.
> 

Yes, this should get some attention from someone.  There is no reason to
allow any app that wants it to have suid.  Things like consolehelper exist
for just this reason.

Within Red Hat I care for a suid whitelist.  If it's not on the list, I
have to be convinced that it should be.  It works rather well honestly.  It
would probably make sense to give this task to the Fedora Security Response
Team as it will be them cleaning up the mess after a "suid gone wild"
event.

-- 
    JB

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux