On Fri, Dec 09, 2016 at 09:52:39AM +0100, Karel Zak wrote: > On Thu, Dec 08, 2016 at 09:09:15PM -0500, J William Piggott wrote: > > On 12/07/2016 06:25 AM, Karel Zak wrote: > > > Maybe my patch seems too strict, but change docs is not enough, the > > > code matters. We want to be sure nobody uses hwclock as setuid, > > > especially if man page and code comments promised this non-sense. > > > > I agree that setuid should be removed from the man-page and source > > comments. I do not think the code was a problem; removing it does not > > See 687cc5d58942b24a9f4013c68876d8cbea907ab1, it removes many checks. > It wasn't about comments only. > > > prevent running it with setuid. It only prevents users from access to > > the benign read only functions of hwclock which they have historically > > had. > > I agree that kernel is the place where we need to check permissions, > so I have removed the if (getuid() != 0) > > https://github.com/karelzak/util-linux/commit/f4e61504a457395018c02bafcf17d1e3f8644b78 > > let's hope nobody uses it as setuid. We will need big fat note in the v2.30 ReleaseNotes to make sure downstream maintainers don't use it with some extra permissions. Karel -- Karel Zak <kzak@xxxxxxxxxx> http://karelzak.blogspot.com -- To unsubscribe from this list: send the line "unsubscribe util-linux" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
