Github messages for voidlinux
 help / color / mirror / Atom feed
* [ISSUE] [RFC] explicitly allow setuid and setgid permissions in templates
@ 2021-07-23 14:03 paper42
  2021-07-23 14:35 ` ericonr
                   ` (10 more replies)
  0 siblings, 11 replies; 12+ messages in thread
From: paper42 @ 2021-07-23 14:03 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 913 bytes --]

New issue by paper42 on void-packages repository

https://github.com/void-linux/void-packages/issues/32156

Description:
There are no checks for setuid and setgid permissions right now which could potentially be a security risk.

a) `setugid=yes` allows both setuid and setgid permissions in all files in the package
b) `setugid="usr/bin/su"` per-file rules

split setuid and setgid rules
c) `setuid=yes; setgid=yes`
d) `setuid="usr/bin/su"; setgid=""`

I will prepare a post-install hook when it's decided which method is preferred. I like c) the most, because there are some packages providing just setgid binaries without needing setuid (mlocate). b) and d) sound too verbose to me and if a package provides a set{u,g}id binary, the whole package is trusted.

I would also like to ask someone with access to the binary repository to post here which packages have set{u,g}id binaries.

cc @ericonr

^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2022-08-17  2:43 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-23 14:03 [ISSUE] [RFC] explicitly allow setuid and setgid permissions in templates paper42
2021-07-23 14:35 ` ericonr
2021-07-26 12:10 ` fosslinux
2021-07-26 13:33 ` paper42
2021-07-26 13:33 ` paper42
2021-07-26 13:33 ` paper42
2021-07-27 16:13 ` Duncaen
2021-07-27 16:13 ` Duncaen
2021-07-27 17:42 ` ericonr
2022-05-30  2:15 ` github-actions
2022-08-17  1:48 ` CameronNemo
2022-08-17  2:43 ` ericonr

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).