[ISSUE] [RFC] explicitly allow setuid and setgid permissions in templates

[ISSUE] [RFC] explicitly allow setuid and setgid permissions in templates

[paper42]

[-- Attachment #1: Type: text/plain, Size: 913 bytes --]

New issue by paper42 on void-packages repository

https://github.com/void-linux/void-packages/issues/32156

Description:
There are no checks for setuid and setgid permissions right now which could potentially be a security risk.

a) `setugid=yes` allows both setuid and setgid permissions in all files in the package
b) `setugid="usr/bin/su"` per-file rules

split setuid and setgid rules
c) `setuid=yes; setgid=yes`
d) `setuid="usr/bin/su"; setgid=""`

I will prepare a post-install hook when it's decided which method is preferred. I like c) the most, because there are some packages providing just setgid binaries without needing setuid (mlocate). b) and d) sound too verbose to me and if a package provides a set{u,g}id binary, the whole package is trusted.

I would also like to ask someone with access to the binary repository to post here which packages have set{u,g}id binaries.

cc @ericonr

Re: [RFC] explicitly allow setuid and setgid permissions in templates

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 882 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/issues/32156#issuecomment-885684104

Comment:
> a) setugid=yes allows both setuid and setgid permissions in all files in the package

I don't think we need/should ship something with a gazillion `s[ug]id` binaries, so I think we should always list them explicitly. And what this allows us to do is also statically check that the permission bits are correct: if something like sudo's `make install` regresses for cross targets (wild example), it will be caught at package build time.

Statically checking `setgid` in Void is not really possible (it has to happen in `INSTALL`), because of how we (at least currently) manage groups. Most of the group usage is `chown root:<group>` then set perms to `4750`. However, again because it happens in `INSTALL`, this breaks static checking.

Re: [RFC] explicitly allow setuid and setgid permissions in templates

[fosslinux]

[-- Attachment #1: Type: text/plain, Size: 505 bytes --]

New comment by fosslinux on void-packages repository

https://github.com/void-linux/void-packages/issues/32156#issuecomment-886645998

Comment:
> I would also like to ask someone with access to the binary repository to post here which packages have set{u,g}id binaries.

Not sure how this is easily possible - that would require an extraction of all packages lol. Probably better to update the templates incrementally as they are touched (I think that's the normal procedure for these kind of changes).

Re: [RFC] explicitly allow setuid and setgid permissions in templates

[paper42]

[-- Attachment #1: Type: text/plain, Size: 583 bytes --]

New comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/issues/32156#issuecomment-886708063

Comment:
> > I would also like to ask someone with access to the binary repository to post here which packages have set{u,g}id binaries.
> 
> Not sure how this is easily possible - that would require an extraction of all packages lol. Probably better to update the templates incrementally as they are touched (I think that's the normal procedure for these kind of changes).

@fosslinux Permissions are in tar headers, so tar tvf pkg.xbps shows them.

Re: [RFC] explicitly allow setuid and setgid permissions in templates

[paper42]

[-- Attachment #1: Type: text/plain, Size: 583 bytes --]

New comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/issues/32156#issuecomment-886708169

Comment:
> > I would also like to ask someone with access to the binary repository to post here which packages have set{u,g}id binaries.
> 
> Not sure how this is easily possible - that would require an extraction of all packages lol. Probably better to update the templates incrementally as they are touched (I think that's the normal procedure for these kind of changes).

@fosslinux Permissions are in tar headers, so tar tvf pkg.xbps shows them.

Re: [RFC] explicitly allow setuid and setgid permissions in templates

[paper42]

[-- Attachment #1: Type: text/plain, Size: 583 bytes --]

New comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/issues/32156#issuecomment-886708169

Comment:
> > I would also like to ask someone with access to the binary repository to post here which packages have set{u,g}id binaries.
> 
> Not sure how this is easily possible - that would require an extraction of all packages lol. Probably better to update the templates incrementally as they are touched (I think that's the normal procedure for these kind of changes).

@fosslinux Permissions are in tar headers, so tar tvf pkg.xbps shows them.

Re: [RFC] explicitly allow setuid and setgid permissions in templates

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 7087 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/issues/32156#issuecomment-887646009

Comment:
```
-rwsr-xr-x 0/0           14576 2016-10-18 01:52 ./usr/bin/9mount
-rwsr-xr-x 0/0            6192 2016-10-18 01:52 ./usr/bin/9bind
-rwsr-xr-x 0/0           10288 2016-10-18 01:52 ./usr/bin/9umount
-rwxr-sr-x 0/0          285408 2019-07-02 09:26 ./usr/bin/powermanga
-rwsr-xr-x 0/0         1223160 2020-12-16 11:10 ./usr/bin/arcan
-rwsr-sr-x 0/0           59696 2021-04-27 09:46 ./usr/bin/at
-rwsr-sr-x 0/0           43856 2021-06-30 02:17 ./usr/bin/mount.cifs
-rwsr-xr-x 0/0           22576 2019-01-20 13:27 ./usr/bin/pseudo
-rwsr-xr-x 0/0           30768 2019-01-20 13:27 ./usr/bin/contain
-rwsr-xr-x 0/0           55984 2021-03-30 14:49 ./usr/bin/cronie-crontab
-rwsr-xr-x 0/0          481648 2020-11-10 15:19 ./usr/bin/dar
-rwsr-xr-x 0/0          129184 2020-11-21 19:30 ./usr/bin/mount.davfs
-rwsr-xr-x 0/0           22600 2021-02-24 16:14 ./usr/bin/dcrontab
-rwsr-xr-- 0/0           14400 2021-03-05 18:04 ./usr/lib/dma-mbox-create
-rwxr-sr-x 0/0           67848 2021-03-05 18:04 ./usr/bin/dma
-rwsr-sr-x 0/0           22600 2021-03-30 18:11 ./usr/bin/mount.ecryptfs_private
-rwsr-xr-x 0/0           22592 2021-05-25 07:25 ./usr/lib/electron10/chrome-sandbox
-rwsr-xr-x 0/0           22592 2021-07-11 15:30 ./usr/lib/electron12/chrome-sandbox
-rwsr-xr-x 0/0           22512 2020-09-06 11:43 ./usr/lib/electron7/chrome-sandbox
-rwsr-xr-x 0/0           22408 2021-01-22 10:00 ./usr/lib/electron9/chrome-sandbox
-rwsr-xr-x 0/0           51280 2020-12-26 19:36 ./usr/lib/enlightenment/utils/enlightenment_system
-rwsr-xr-x 0/0           22592 2020-12-26 19:36 ./usr/lib/enlightenment/utils/enlightenment_sys
-rwsr-xr-x 0/0           26704 2020-12-26 19:36 ./usr/lib/enlightenment/utils/enlightenment_ckpasswd
-rwsr-sr-x 0/0           80248 2021-04-04 23:14 ./usr/bin/fcrontab
-rwsr-xr-x 0/0           34904 2021-04-04 23:14 ./usr/bin/fcronsighup
-rwsr-sr-x 0/0           43984 2021-04-04 23:14 ./usr/bin/fcrondyn
-rwsr-xr-x 0/0          470472 2021-07-01 11:36 ./usr/bin/firejail
-rwsr-xr-x 0/0           34952 2019-01-05 05:42 ./usr/bin/fusermount
-rwsr-xr-x 0/0           34960 2021-06-15 15:29 ./usr/bin/fusermount3
-rwsr-xr-x 0/0           34968 2021-04-05 12:35 ./usr/bin/fusermount-glusterfs
-rwsr-xr-x 0/0           39048 2021-04-10 20:00 ./usr/bin/cgi-wrapper
-rwsr-xr-x 0/0           14400 2021-07-23 01:21 ./usr/bin/hikari-unlocker
-rwsr-xr-x 0/0          104688 2021-03-24 03:10 ./usr/bin/incrontab
-rwsr-xr-x 0/0           14408 2020-05-05 11:43 ./usr/bin/kbdlight
-rwsr-xr-x 0/0         3202528 2021-07-12 06:12 ./usr/bin/keybase-redirector
-rwsr-x--- 0/0          146216 2021-06-04 19:02 ./usr/bin/kismet_cap_rz_killerbee
-rwsr-xr-x 0/0           14496 2018-10-16 16:09 ./usr/bin/cgexec
-rwsr-xr-x 0/0           22608 2018-07-14 08:18 ./usr/bin/pam-escalate-helper
-rwx--s--x 0/0           14408 2020-07-31 12:32 ./usr/lib/utempter/utempter
-rwsr-xr-x 0/0          737656 2021-03-06 00:01 ./usr/libexec/lxc/lxc-user-nic
-rwsr-xr-x 0/0           14400 2021-05-29 19:17 ./usr/lib/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
-rwsr-xr-x 0/0           55352 2021-03-05 11:40 ./usr/bin/ksu
-rws--x--x 0/0          133976 2021-06-15 15:38 ./usr/bin/mount.nfs
-rwsr-xr-x 0/0           43168 2021-01-28 22:10 ./usr/bin/doas
-rwsr-xr-x 0/0           18496 2021-05-24 19:28 ./usr/libexec/opensmtpd/lockspool
-rwxr-sr-x 0/0          232264 2021-05-24 19:28 ./usr/bin/smtpctl
-rws--x--x 0/0          510344 2021-04-21 16:47 ./usr/libexec/ssh-keysign
-rwsr-xr-x 0/0           38968 2021-01-04 02:32 ./usr/bin/unix_chkpwd
-rwsr-xr-x 0/0           22608 2019-01-30 01:14 ./usr/bin/physlock
-rwxr-sr-x 0/0          301376 2021-06-14 14:57 ./usr/bin/plocate
-rwsr-xr-x 0/0           39296 2021-01-12 15:33 ./usr/bin/pumount
-rwsr-xr-x 0/0           52928 2021-01-12 15:33 ./usr/bin/pmount
-rwsr-xr-x 0/0           18504 2021-06-11 03:22 ./usr/lib/polkit-1/polkit-agent-helper-1
-rwsr-xr-x 0/0           30776 2021-06-11 03:22 ./usr/bin/pkexec
-rwsr-xr-x 0/0          238824 2021-06-25 16:01 ./usr/libexec/qemu-bridge-helper
-rwsr-xr-x 0/0           14400 2021-03-06 00:01 ./usr/libexec/s-nail-dotlock
-rwsr-xr-x 0/0         1113432 2020-01-25 20:03 ./usr/bin/schroot-sbuild
-rwsr-xr-x 0/0         1113424 2020-01-25 20:03 ./usr/bin/schroot
-rwsr-xr-x 0/0         1117520 2020-01-25 20:03 ./usr/bin/dchroot
-rwsr-xr-x 0/0           40488 2020-02-14 08:54 ./usr/bin/sg
-rwsr-xr-x 0/0           59760 2020-02-14 08:54 ./usr/bin/passwd
-rwsr-xr-x 0/0           37208 2020-02-14 08:54 ./usr/bin/newuidmap
-rwsr-xr-x 0/0           37208 2020-02-14 08:54 ./usr/bin/newgidmap
-rwsr-xr-x 0/0           67704 2020-02-14 08:54 ./usr/bin/gpasswd
-rwsr-xr-x 0/0           26984 2020-02-14 08:54 ./usr/bin/expiry
-rwsr-xr-x 0/0           71960 2020-02-14 08:54 ./usr/bin/chage
-rwsr-xr-x 0/0           14456 2016-11-22 01:24 ./usr/bin/slock
-rwsr-xr-x 0/0           18520 2021-05-14 13:17 ./usr/libexec/spice-client-glib-usb-acl-helper
-rwsr-xr-x 0/0           80600 2021-06-15 19:53 ./usr/libexec/squid/pinger
-rwsr-xr-x 0/0           22608 2021-06-15 19:53 ./usr/libexec/squid/basic_pam_auth
-rwsr-xr-x 0/0           26776 2021-06-15 19:53 ./usr/libexec/squid/basic_ncsa_auth
-rwsr-xr-x 0/0          174536 2021-05-24 22:21 ./usr/bin/sudo
-rwxr-sr-x 0/0           14400 2020-04-30 22:51 ./usr/bin/makeweb
-rwsr-xr-x 0/0          116888 2021-01-12 14:07 ./usr/bin/udevil
-rwsr-xr-x 0/0           34952 2021-07-25 04:23 ./usr/bin/umount
-rwsr-xr-x 0/0           71816 2021-07-25 04:23 ./usr/bin/su
-rwsr-xr-x 0/0           18568 2021-07-25 04:23 ./usr/bin/newgrp
-rwsr-xr-x 0/0           59528 2021-07-25 04:23 ./usr/bin/mount
-rwsr-xr-x 0/0           34952 2021-07-25 04:23 ./usr/bin/chsh
-rwsr-xr-x 0/0           39048 2021-07-25 04:23 ./usr/bin/chfn
-rwsr-xr-x 0/0          166536 2021-04-30 15:24 ./usr/lib/virtualbox/VirtualBoxVM
-rwsr-xr-x 0/0          166528 2021-04-30 15:24 ./usr/lib/virtualbox/VBoxSDL
-rwsr-xr-x 0/0          166536 2021-04-30 15:24 ./usr/lib/virtualbox/VBoxNetNAT
-rwsr-xr-x 0/0          166536 2021-04-30 15:24 ./usr/lib/virtualbox/VBoxNetDHCP
-rwsr-xr-x 0/0           31368 2021-04-30 15:24 ./usr/lib/virtualbox/VBoxNetAdpCtl
-rwsr-xr-x 0/0          166536 2021-04-30 15:24 ./usr/lib/virtualbox/VBoxHeadless
-rwsr-xr-x 0/0           16167 2019-01-22 12:35 ./usr/bin/vpsm
-rwsr-xr-x 0/0           22592 2021-01-29 03:52 ./usr/bin/weston-launch
-rwxr-sr-x 0/0           14424 2021-05-31 23:14 ./usr/lib/x2go/libx2go-server-db-sqlite3-wrapper
-rws--x--x 0/0           14392 2018-11-24 17:59 ./usr/lib/xcdroast/bin/xcdrwrap
-rwsr-xr-x 0/0         1895824 2020-10-29 14:15 ./usr/bin/xlock
-rwsr-xr-x 0/0           14672 2021-07-10 16:19 ./usr/libexec/Xorg.wrap
-rwsr-xr-x 0/0          308000 2021-07-23 12:50 ./usr/libexec/xscreensaver/xscreensaver-auth
-rwsr-xr-x 0/0          160400 2021-07-23 12:50 ./usr/libexec/xscreensaver/sonar
```

Re: [RFC] explicitly allow setuid and setgid permissions in templates

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 7106 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/issues/32156#issuecomment-887646009

Comment:
For x86_64-glibc:
```
-rwsr-xr-x 0/0           14576 2016-10-18 01:52 ./usr/bin/9mount
-rwsr-xr-x 0/0            6192 2016-10-18 01:52 ./usr/bin/9bind
-rwsr-xr-x 0/0           10288 2016-10-18 01:52 ./usr/bin/9umount
-rwxr-sr-x 0/0          285408 2019-07-02 09:26 ./usr/bin/powermanga
-rwsr-xr-x 0/0         1223160 2020-12-16 11:10 ./usr/bin/arcan
-rwsr-sr-x 0/0           59696 2021-04-27 09:46 ./usr/bin/at
-rwsr-sr-x 0/0           43856 2021-06-30 02:17 ./usr/bin/mount.cifs
-rwsr-xr-x 0/0           22576 2019-01-20 13:27 ./usr/bin/pseudo
-rwsr-xr-x 0/0           30768 2019-01-20 13:27 ./usr/bin/contain
-rwsr-xr-x 0/0           55984 2021-03-30 14:49 ./usr/bin/cronie-crontab
-rwsr-xr-x 0/0          481648 2020-11-10 15:19 ./usr/bin/dar
-rwsr-xr-x 0/0          129184 2020-11-21 19:30 ./usr/bin/mount.davfs
-rwsr-xr-x 0/0           22600 2021-02-24 16:14 ./usr/bin/dcrontab
-rwsr-xr-- 0/0           14400 2021-03-05 18:04 ./usr/lib/dma-mbox-create
-rwxr-sr-x 0/0           67848 2021-03-05 18:04 ./usr/bin/dma
-rwsr-sr-x 0/0           22600 2021-03-30 18:11 ./usr/bin/mount.ecryptfs_private
-rwsr-xr-x 0/0           22592 2021-05-25 07:25 ./usr/lib/electron10/chrome-sandbox
-rwsr-xr-x 0/0           22592 2021-07-11 15:30 ./usr/lib/electron12/chrome-sandbox
-rwsr-xr-x 0/0           22512 2020-09-06 11:43 ./usr/lib/electron7/chrome-sandbox
-rwsr-xr-x 0/0           22408 2021-01-22 10:00 ./usr/lib/electron9/chrome-sandbox
-rwsr-xr-x 0/0           51280 2020-12-26 19:36 ./usr/lib/enlightenment/utils/enlightenment_system
-rwsr-xr-x 0/0           22592 2020-12-26 19:36 ./usr/lib/enlightenment/utils/enlightenment_sys
-rwsr-xr-x 0/0           26704 2020-12-26 19:36 ./usr/lib/enlightenment/utils/enlightenment_ckpasswd
-rwsr-sr-x 0/0           80248 2021-04-04 23:14 ./usr/bin/fcrontab
-rwsr-xr-x 0/0           34904 2021-04-04 23:14 ./usr/bin/fcronsighup
-rwsr-sr-x 0/0           43984 2021-04-04 23:14 ./usr/bin/fcrondyn
-rwsr-xr-x 0/0          470472 2021-07-01 11:36 ./usr/bin/firejail
-rwsr-xr-x 0/0           34952 2019-01-05 05:42 ./usr/bin/fusermount
-rwsr-xr-x 0/0           34960 2021-06-15 15:29 ./usr/bin/fusermount3
-rwsr-xr-x 0/0           34968 2021-04-05 12:35 ./usr/bin/fusermount-glusterfs
-rwsr-xr-x 0/0           39048 2021-04-10 20:00 ./usr/bin/cgi-wrapper
-rwsr-xr-x 0/0           14400 2021-07-23 01:21 ./usr/bin/hikari-unlocker
-rwsr-xr-x 0/0          104688 2021-03-24 03:10 ./usr/bin/incrontab
-rwsr-xr-x 0/0           14408 2020-05-05 11:43 ./usr/bin/kbdlight
-rwsr-xr-x 0/0         3202528 2021-07-12 06:12 ./usr/bin/keybase-redirector
-rwsr-x--- 0/0          146216 2021-06-04 19:02 ./usr/bin/kismet_cap_rz_killerbee
-rwsr-xr-x 0/0           14496 2018-10-16 16:09 ./usr/bin/cgexec
-rwsr-xr-x 0/0           22608 2018-07-14 08:18 ./usr/bin/pam-escalate-helper
-rwx--s--x 0/0           14408 2020-07-31 12:32 ./usr/lib/utempter/utempter
-rwsr-xr-x 0/0          737656 2021-03-06 00:01 ./usr/libexec/lxc/lxc-user-nic
-rwsr-xr-x 0/0           14400 2021-05-29 19:17 ./usr/lib/mysql/plugin/auth_pam_tool_dir/auth_pam_tool
-rwsr-xr-x 0/0           55352 2021-03-05 11:40 ./usr/bin/ksu
-rws--x--x 0/0          133976 2021-06-15 15:38 ./usr/bin/mount.nfs
-rwsr-xr-x 0/0           43168 2021-01-28 22:10 ./usr/bin/doas
-rwsr-xr-x 0/0           18496 2021-05-24 19:28 ./usr/libexec/opensmtpd/lockspool
-rwxr-sr-x 0/0          232264 2021-05-24 19:28 ./usr/bin/smtpctl
-rws--x--x 0/0          510344 2021-04-21 16:47 ./usr/libexec/ssh-keysign
-rwsr-xr-x 0/0           38968 2021-01-04 02:32 ./usr/bin/unix_chkpwd
-rwsr-xr-x 0/0           22608 2019-01-30 01:14 ./usr/bin/physlock
-rwxr-sr-x 0/0          301376 2021-06-14 14:57 ./usr/bin/plocate
-rwsr-xr-x 0/0           39296 2021-01-12 15:33 ./usr/bin/pumount
-rwsr-xr-x 0/0           52928 2021-01-12 15:33 ./usr/bin/pmount
-rwsr-xr-x 0/0           18504 2021-06-11 03:22 ./usr/lib/polkit-1/polkit-agent-helper-1
-rwsr-xr-x 0/0           30776 2021-06-11 03:22 ./usr/bin/pkexec
-rwsr-xr-x 0/0          238824 2021-06-25 16:01 ./usr/libexec/qemu-bridge-helper
-rwsr-xr-x 0/0           14400 2021-03-06 00:01 ./usr/libexec/s-nail-dotlock
-rwsr-xr-x 0/0         1113432 2020-01-25 20:03 ./usr/bin/schroot-sbuild
-rwsr-xr-x 0/0         1113424 2020-01-25 20:03 ./usr/bin/schroot
-rwsr-xr-x 0/0         1117520 2020-01-25 20:03 ./usr/bin/dchroot
-rwsr-xr-x 0/0           40488 2020-02-14 08:54 ./usr/bin/sg
-rwsr-xr-x 0/0           59760 2020-02-14 08:54 ./usr/bin/passwd
-rwsr-xr-x 0/0           37208 2020-02-14 08:54 ./usr/bin/newuidmap
-rwsr-xr-x 0/0           37208 2020-02-14 08:54 ./usr/bin/newgidmap
-rwsr-xr-x 0/0           67704 2020-02-14 08:54 ./usr/bin/gpasswd
-rwsr-xr-x 0/0           26984 2020-02-14 08:54 ./usr/bin/expiry
-rwsr-xr-x 0/0           71960 2020-02-14 08:54 ./usr/bin/chage
-rwsr-xr-x 0/0           14456 2016-11-22 01:24 ./usr/bin/slock
-rwsr-xr-x 0/0           18520 2021-05-14 13:17 ./usr/libexec/spice-client-glib-usb-acl-helper
-rwsr-xr-x 0/0           80600 2021-06-15 19:53 ./usr/libexec/squid/pinger
-rwsr-xr-x 0/0           22608 2021-06-15 19:53 ./usr/libexec/squid/basic_pam_auth
-rwsr-xr-x 0/0           26776 2021-06-15 19:53 ./usr/libexec/squid/basic_ncsa_auth
-rwsr-xr-x 0/0          174536 2021-05-24 22:21 ./usr/bin/sudo
-rwxr-sr-x 0/0           14400 2020-04-30 22:51 ./usr/bin/makeweb
-rwsr-xr-x 0/0          116888 2021-01-12 14:07 ./usr/bin/udevil
-rwsr-xr-x 0/0           34952 2021-07-25 04:23 ./usr/bin/umount
-rwsr-xr-x 0/0           71816 2021-07-25 04:23 ./usr/bin/su
-rwsr-xr-x 0/0           18568 2021-07-25 04:23 ./usr/bin/newgrp
-rwsr-xr-x 0/0           59528 2021-07-25 04:23 ./usr/bin/mount
-rwsr-xr-x 0/0           34952 2021-07-25 04:23 ./usr/bin/chsh
-rwsr-xr-x 0/0           39048 2021-07-25 04:23 ./usr/bin/chfn
-rwsr-xr-x 0/0          166536 2021-04-30 15:24 ./usr/lib/virtualbox/VirtualBoxVM
-rwsr-xr-x 0/0          166528 2021-04-30 15:24 ./usr/lib/virtualbox/VBoxSDL
-rwsr-xr-x 0/0          166536 2021-04-30 15:24 ./usr/lib/virtualbox/VBoxNetNAT
-rwsr-xr-x 0/0          166536 2021-04-30 15:24 ./usr/lib/virtualbox/VBoxNetDHCP
-rwsr-xr-x 0/0           31368 2021-04-30 15:24 ./usr/lib/virtualbox/VBoxNetAdpCtl
-rwsr-xr-x 0/0          166536 2021-04-30 15:24 ./usr/lib/virtualbox/VBoxHeadless
-rwsr-xr-x 0/0           16167 2019-01-22 12:35 ./usr/bin/vpsm
-rwsr-xr-x 0/0           22592 2021-01-29 03:52 ./usr/bin/weston-launch
-rwxr-sr-x 0/0           14424 2021-05-31 23:14 ./usr/lib/x2go/libx2go-server-db-sqlite3-wrapper
-rws--x--x 0/0           14392 2018-11-24 17:59 ./usr/lib/xcdroast/bin/xcdrwrap
-rwsr-xr-x 0/0         1895824 2020-10-29 14:15 ./usr/bin/xlock
-rwsr-xr-x 0/0           14672 2021-07-10 16:19 ./usr/libexec/Xorg.wrap
-rwsr-xr-x 0/0          308000 2021-07-23 12:50 ./usr/libexec/xscreensaver/xscreensaver-auth
-rwsr-xr-x 0/0          160400 2021-07-23 12:50 ./usr/libexec/xscreensaver/sonar
```

Re: [RFC] explicitly allow setuid and setgid permissions in templates

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 869 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/issues/32156#issuecomment-887705175

Comment:
```
-rwsr-xr-x 0/0           22592 2021-05-25 07:25 ./usr/lib/electron10/chrome-sandbox
-rwsr-xr-x 0/0           22592 2021-07-11 15:30 ./usr/lib/electron12/chrome-sandbox
-rwsr-xr-x 0/0           22512 2020-09-06 11:43 ./usr/lib/electron7/chrome-sandbox
-rwsr-xr-x 0/0           22408 2021-01-22 10:00 ./usr/lib/electron9/chrome-sandbox
```

can probably be removed from the package, we should be using the user namespace sandbox by now.

I wonder if the mount utilities need suid? Shouldn't `mount` itself being suid be enough?

Curious what `cgi-wrapper` from `hiawatha` needs suid for...

As discussed over IRC, `vpsm` being suid doesn't make a difference, since it's a shell script, but it needs to be fixed.

Re: [RFC] explicitly allow setuid and setgid permissions in templates

[github-actions]

[-- Attachment #1: Type: text/plain, Size: 293 bytes --]

New comment by github-actions[bot] on void-packages repository

https://github.com/void-linux/void-packages/issues/32156#issuecomment-1140611887

Comment:
Issues become stale 90 days after last activity and are closed 14 days after that.  If this issue is still relevant bump it or assign it.

Re: [RFC] explicitly allow setuid and setgid permissions in templates

[CameronNemo]

[-- Attachment #1: Type: text/plain, Size: 408 bytes --]

New comment by CameronNemo on void-packages repository

https://github.com/void-linux/void-packages/issues/32156#issuecomment-1217365988

Comment:
I am a little unsure of the scope here. Will this help avoid setting the suid bit in INSTALL files? If so, don't we need to list each suid binary explicitly? Or is that something that should be done in do_install or post_install and then just say `setuid=yes`?

Re: [RFC] explicitly allow setuid and setgid permissions in templates

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 684 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/issues/32156#issuecomment-1217393353

Comment:
> Will this help avoid setting the suid bit in INSTALL files?

No, it's mostly unrelated. The INSTALL files are needed in case a file has owners other than `root:root` and need the permissions. This PR can't really touch those, at least as it stands.

> If so, don't we need to list each suid binary explicitly?

We still need to do so. The idea is to have a lint that checks that the files have the permission expected of them; `setuid=yes` is a blanket option that wouldn't help in catching small issues that passed by accidentally.