Re: [PR PATCH] [Updated] [WIP]: hooks/post-install: add check setuid/setgid hook

[paper42 <paper42@users.noreply.github.com>]

[-- Attachment #1: Type: text/plain, Size: 384 bytes --]

There is an updated pull request by paper42 against master on the void-packages repository

https://github.com/paper42/void-packages setuid-setgid-hook
https://github.com/void-linux/void-packages/pull/33011

[WIP]: hooks/post-install: add check setuid/setgid hook
Closes #32156

cc @ericonr

A patch file from https://github.com/void-linux/void-packages/pull/33011.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-setuid-setgid-hook-33011.patch --]
[-- Type: text/x-diff, Size: 47184 bytes --]

From c26a08ebbe98f57cc818ba6e8bf8731f2289b36c Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 18 Sep 2021 13:42:00 +0200
Subject: [PATCH 01/58] hooks/post-install: add check setuid/setgid hook

---
 .../post-install/15-check-setuid-setgid.sh    | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 common/hooks/post-install/15-check-setuid-setgid.sh

diff --git a/common/hooks/post-install/15-check-setuid-setgid.sh b/common/hooks/post-install/15-check-setuid-setgid.sh
new file mode 100644
index 000000000000..dae87c2b3d5c
--- /dev/null
+++ b/common/hooks/post-install/15-check-setuid-setgid.sh
@@ -0,0 +1,26 @@
+dofind() {
+	error=
+	for setidfile in $(find "$PKGDESTDIR" -type f -perm -"$1"); do
+		matched=
+		for allowed_file in ${!2}; do
+			if [ "$PKGDESTDIR$allowed_file" = "$setidfile" ]; then
+				matched=y
+				break
+			fi
+		done
+		if [ -n "$matched" ]; then
+			echo "$2 file: ${setidfile#$PKGDESTDIR}"
+		else
+			msg_red "not allowed $2 file: ${setidfile#$PKGDESTDIR}\n"
+			error=y
+		fi
+	done
+	if [ -n "$error" ]; then
+		msg_error "$2 files not explicitly allowed, please list them in \$$2\n"
+	fi
+}
+
+hook() {
+	dofind 4000 setuid
+	dofind 2000 setgid
+}

From 0ceea9b62aa43a9d0bdf352bf7f8baca01058f7a Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:33 +0100
Subject: [PATCH 02/58] ecryptfs-utils: add $setuid and $setgid

---
 srcpkgs/ecryptfs-utils/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/ecryptfs-utils/template b/srcpkgs/ecryptfs-utils/template
index 6bdc07b97c32..d8faed1cd554 100644
--- a/srcpkgs/ecryptfs-utils/template
+++ b/srcpkgs/ecryptfs-utils/template
@@ -17,6 +17,8 @@ homepage="http://ecryptfs.org/"
 distfiles="http://launchpad.net/ecryptfs/trunk/${version}/+download/${pkgname}_${version}.orig.tar.gz"
 checksum=112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f
 lib32disabled=yes
+setuid="/usr/bin/mount.ecryptfs_private"
+setgid="/usr/bin/mount.ecryptfs_private"
 
 CPPFLAGS="-D_FILE_OFFSET_BITS=64 -I${XBPS_CROSS_BASE}/usr/include/python2.7"
 

From 67b3ee6446a5590b4401ea7233d5ebf487dc8e68 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:28 +0100
Subject: [PATCH 03/58] cifs-utils: add $setuid and $setgid

---
 srcpkgs/cifs-utils/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/cifs-utils/template b/srcpkgs/cifs-utils/template
index 5576b371ca6a..331a0878b36d 100644
--- a/srcpkgs/cifs-utils/template
+++ b/srcpkgs/cifs-utils/template
@@ -14,6 +14,8 @@ homepage="https://wiki.samba.org/index.php/LinuxCIFS_utils"
 distfiles="https://ftp.samba.org/pub/linux-cifs/${pkgname}/${pkgname}-${version}.tar.bz2"
 checksum=a7b6940e93250c1676a6fa66b6ead91b78cd43a5fee99cc462459c8b9cf1e6f4
 python_version=3
+setuid="/usr/bin/mount.cifs"
+setgid="/usr/bin/mount.cifs"
 
 pre_configure() {
 	autoreconf -fi

From 408fcd18959169201d82f57c8db129b0dd091a92 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:44:48 +0100
Subject: [PATCH 04/58] s-nail: add $setuid

---
 srcpkgs/s-nail/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/s-nail/template b/srcpkgs/s-nail/template
index 7a171cea0d27..f8483be17854 100644
--- a/srcpkgs/s-nail/template
+++ b/srcpkgs/s-nail/template
@@ -12,6 +12,7 @@ license="BSD-4-Clause, BSD-3-Clause, BSD-2-Clause, ISC"
 homepage="https://git.sdaoden.eu/cgit/s-nail.git"
 distfiles="https://www.sdaoden.eu/downloads/s-nail-${version}.tar.xz"
 checksum=2714d6b8fb2af3b363fc7c79b76d058753716345d1b6ebcd8870ecd0e4f7ef8c
+setuid="/usr/libexec/s-nail-dotlock"
 
 provides="mail-${version}_${revision}"
 

From 8cc5b9e91f1268311961be019aa40f27a7c9a0f9 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:36:05 +0100
Subject: [PATCH 05/58] opendoas: add $setuid

---
 srcpkgs/opendoas/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/opendoas/template b/srcpkgs/opendoas/template
index 5254f280b801..9e93eaaf26fc 100644
--- a/srcpkgs/opendoas/template
+++ b/srcpkgs/opendoas/template
@@ -13,6 +13,7 @@ license="ISC, BSD-3-Clause"
 homepage="https://github.com/Duncaen/OpenDoas"
 distfiles="https://github.com/Duncaen/OpenDoas/archive/v${version}.tar.gz"
 checksum=6da058a0e70b7543bc60624389b0b00b686189ec933828c522bf8b2600495a67
+setuid="/usr/bin/doas"
 
 build_options="pam timestamp"
 build_options_default="pam timestamp"

From a9c7abc26ecb18b5d2a9afa75e06948e483f507a Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:50:19 +0100
Subject: [PATCH 06/58] weston: add $setuid

---
 srcpkgs/weston/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/weston/template b/srcpkgs/weston/template
index b517c10c98ca..465d5310a9b5 100644
--- a/srcpkgs/weston/template
+++ b/srcpkgs/weston/template
@@ -21,6 +21,7 @@ distfiles="https://wayland.freedesktop.org/releases/${pkgname}-${version}.tar.xz
 checksum=5cf5d6ce192e0eb15c1fc861a436bf21b5bb3b91dbdabbdebe83e1f83aa098fe
 system_groups="weston-launch"
 lib32disabled=yes
+setuid="/usr/bin/weston-launch"
 
 # Package build options
 build_options="elogind vaapi"

From 172cac70c2ffaa7d3bf67ecf7df7dc5ab46703e0 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 01:22:39 +0100
Subject: [PATCH 07/58] enlightenment: set $setuid

---
 srcpkgs/enlightenment/template | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/srcpkgs/enlightenment/template b/srcpkgs/enlightenment/template
index ec1a084618db..d6406be26df8 100644
--- a/srcpkgs/enlightenment/template
+++ b/srcpkgs/enlightenment/template
@@ -20,6 +20,9 @@ checksum=56db5d206b821b9a8831d26e713e410ac70b2255a6f43fcdf7c01eefde23b7a2
 lib32disabled=yes
 build_options="wayland"
 build_options_default="wayland"
+setuid="/usr/lib/enlightenment/utils/enlightenment_ckpasswd
+ /usr/lib/enlightenment/utils/enlightenment_sys
+ /usr/lib/enlightenment/utils/enlightenment_system"
 
 if [ "$CROSS_BUILD" -a "$build_option_wayland" ]; then
 	hostmakedepends+=" wayland-devel"

From 15d264d24966f39df29e4bc0fa5c83e82bdbdfca Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:35:48 +0100
Subject: [PATCH 08/58] nfs-utils: add $setuid

---
 srcpkgs/nfs-utils/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/nfs-utils/template b/srcpkgs/nfs-utils/template
index 252a7355b683..363c72c9ab67 100644
--- a/srcpkgs/nfs-utils/template
+++ b/srcpkgs/nfs-utils/template
@@ -15,6 +15,7 @@ homepage="https://www.linux-nfs.org/"
 distfiles="${KERNEL_SITE}/utils/${pkgname}/${version}/${pkgname}-${version}.tar.xz"
 checksum=5200873e81c4d610e2462fc262fe18135f2dbe78b7979f95accd159ae64d5011
 replaces="rpcgen>=0"
+setuid="/usr/bin/mount.nfs"
 
 hostmakedepends="pkg-config libtirpc-devel rpcsvc-proto"
 makedepends="libblkid-devel libmount-devel libtirpc-devel

From 048922a34f4d3c0c5916d9f2ca4af61ec45dd5c6 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:31:52 +0100
Subject: [PATCH 09/58] libcgroup: add $setuid

---
 srcpkgs/libcgroup/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/libcgroup/template b/srcpkgs/libcgroup/template
index 18dfd5c9f8e5..499d9e16cb1b 100644
--- a/srcpkgs/libcgroup/template
+++ b/srcpkgs/libcgroup/template
@@ -13,6 +13,7 @@ license="LGPL-2.1-only"
 homepage="https://github.com/libcgroup/libcgroup"
 distfiles="https://github.com/libcgroup/libcgroup/releases/download/v${version%.*}/libcgroup-${version}.tar.gz"
 checksum=8d284d896fca1c981b55850e92acd3ad9648a69227c028dda7ae3402af878edd
+setuid="/usr/bin/cgexec"
 
 case "$XBPS_TARGET_MACHINE" in
 	*-musl)	# Add musl-fts implementation

From 9068b5420468aad37fe7901ba4f12e1c92b8e57d Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:37:34 +0100
Subject: [PATCH 10/58] physlock: add $setuid

---
 srcpkgs/physlock/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/physlock/template b/srcpkgs/physlock/template
index 0f091d24444c..f7faecb98250 100644
--- a/srcpkgs/physlock/template
+++ b/srcpkgs/physlock/template
@@ -11,6 +11,7 @@ license="GPL-2.0-or-later"
 homepage="https://github.com/muennich/physlock"
 distfiles="${homepage}/archive/v${version}.tar.gz"
 checksum=9ae4716a1e916f141e47a01b439133ca382281ebdcbec1e53f85da6771774bd6
+setuid="/usr/bin/physlock"
 
 CFLAGS="-D_GNU_SOURCE"
 

From fc59b7e5e08d87b5fa16c2cad932bef073686e43 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:35 +0100
Subject: [PATCH 11/58] fuse3: add $setuid

---
 srcpkgs/fuse3/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/fuse3/template b/srcpkgs/fuse3/template
index 5fcf41be2e86..bd7bb00ee8ed 100644
--- a/srcpkgs/fuse3/template
+++ b/srcpkgs/fuse3/template
@@ -14,6 +14,7 @@ changelog="https://raw.githubusercontent.com/libfuse/libfuse/master/ChangeLog.rs
 distfiles="https://github.com/libfuse/libfuse/releases/download/fuse-${version}/fuse-${version}.tar.xz"
 checksum=6cd0759944c9aeb3d078b24a97b8a5cd5d49a0b8b7f15f85f32ac0c8a662fb6e
 conf_files="/etc/fuse.conf"
+setuid="/usr/bin/fusermount3"
 # Tests require root
 make_check=no
 

From a13510201c63aabafc3ebe18dd48122484a65ff5 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:39 +0100
Subject: [PATCH 12/58] incron: add $setuid

---
 srcpkgs/incron/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/incron/template b/srcpkgs/incron/template
index 14222e496d94..fb6cd128ed4a 100644
--- a/srcpkgs/incron/template
+++ b/srcpkgs/incron/template
@@ -8,6 +8,7 @@ license="X11"
 homepage="https://github.com/ar-/incron"
 distfiles="https://github.com/ar-/incron/archive/${version}.tar.gz"
 checksum=cce80bd723bafce59f35464f2f851d02707e32efa102e2b941ed0e42bdd38f91
+setuid="/usr/bin/incrontab"
 
 make_dirs="/var/spool/incron 0755 root root
  /etc/incron.d 0755 root root"

From f5cb5962c815cf27f3d685682575c07a45add43d Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:32:36 +0100
Subject: [PATCH 13/58] libpam-policycache: add $setuid

---
 srcpkgs/libpam-policycache/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/libpam-policycache/template b/srcpkgs/libpam-policycache/template
index 6777b0856dd6..921fccd61886 100644
--- a/srcpkgs/libpam-policycache/template
+++ b/srcpkgs/libpam-policycache/template
@@ -12,6 +12,7 @@ homepage="https://github.com/google/libpam-policycache"
 distfiles="https://github.com/google/libpam-policycache/archive/v$version.tar.gz"
 checksum=d1a074493d3a4076094a79093ec02c8fdd886069b9624d8b6765f7a1e840fae6
 CFLAGS="-Wno-error=deprecated-declarations"
+setuid="/usr/bin/pam-escalate-helper"
 
 make_dirs="/etc/libpam-policycache.d 0755 root root
  /var/cache/libpam-policycache 0700 root root"

From a7f8104e59eb135d25b19c0734d77b085c068134 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:36:55 +0100
Subject: [PATCH 14/58] openssh: add $setuid

---
 srcpkgs/openssh/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/openssh/template b/srcpkgs/openssh/template
index 3adadcdbac33..adb2604ef937 100644
--- a/srcpkgs/openssh/template
+++ b/srcpkgs/openssh/template
@@ -26,6 +26,7 @@ distfiles="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${ver
 checksum=3f66dbf1655fb45f50e1c56da62ab01218c228807b21338d634ebcdf9d71cf46
 conf_files="/etc/ssh/moduli /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/pam.d/sshd"
 make_dirs="/var/chroot/ssh 0755 root root"
+setuid="/usr/libexec/ssh-keysign"
 
 # Package build options
 build_options="fido2 gssapi ldns ssl"

From 888bcaa250e33aeb0e74c5069bd9044ff3c20a1e Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:47:17 +0100
Subject: [PATCH 15/58] slock: add $setuid

---
 srcpkgs/slock/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/slock/template b/srcpkgs/slock/template
index aa7890a49973..6612c55dcf01 100644
--- a/srcpkgs/slock/template
+++ b/srcpkgs/slock/template
@@ -10,6 +10,7 @@ license="MIT"
 homepage="http://tools.suckless.org/slock"
 distfiles="http://dl.suckless.org/tools/slock-${version}.tar.gz"
 checksum=aee1e3fbf6a277fb625a3838073b979b6483e7baca4ce82f56de1ff192db0e4d
+setuid="/usr/bin/slock"
 
 do_build() {
 	[ -e ${FILESDIR}/config.h ] && cp ${FILESDIR}/config.h config.h

From 4f58216ba7a7af8502b73bb38be2fca53736d6dd Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:40:16 +0100
Subject: [PATCH 16/58] polkit: add $setuid

---
 srcpkgs/polkit/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/polkit/template b/srcpkgs/polkit/template
index 84ab7453bb9b..aa7038f0e71c 100644
--- a/srcpkgs/polkit/template
+++ b/srcpkgs/polkit/template
@@ -21,6 +21,8 @@ changelog="https://gitlab.freedesktop.org/polkit/polkit/-/raw/master/NEWS"
 distfiles="${FREEDESKTOP_SITE}/${pkgname}/releases/${pkgname}-${version}.tar.gz"
 checksum=9dc7ae341a797c994a5a36da21963f0c5c8e3e5a1780ccc2a5f52e7be01affaa
 system_accounts="polkitd"
+setuid="/usr/bin/pkexec
+ /usr/lib/polkit-1/polkit-agent-helper-1"
 #replaces="polkit-elogind>=0"
 #provides="polkit-elogind-${version}_${revision}"
 

From 7b70c0f66060841de07fbff7397168362b10d8c0 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:34 +0100
Subject: [PATCH 17/58] fuse: add $setuid

---
 srcpkgs/fuse/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/fuse/template b/srcpkgs/fuse/template
index b4fe1571f575..fa44380b9f8d 100644
--- a/srcpkgs/fuse/template
+++ b/srcpkgs/fuse/template
@@ -11,6 +11,7 @@ license="GPL-2.0-or-later, LGPL-2.1-or-later"
 homepage="https://github.com/libfuse/libfuse"
 distfiles="${homepage}/releases/download/${pkgname}-${version}/${pkgname}-${version}.tar.gz"
 checksum=d0e69d5d608cc22ff4843791ad097f554dd32540ddc9bed7638cc6fea7c1b4b5
+setuid="/usr/bin/fusermount"
 
 pre_configure() {
 	autoreconf -fi

From 8b8f64102aab35468d3c3ae0d3ffa0ecd97dd9d3 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:34:35 +0100
Subject: [PATCH 18/58] mariadb: add $setuid

---
 srcpkgs/mariadb/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/mariadb/template b/srcpkgs/mariadb/template
index 71409f89930c..c594e7ea10a3 100644
--- a/srcpkgs/mariadb/template
+++ b/srcpkgs/mariadb/template
@@ -37,6 +37,7 @@ make_dirs="/var/lib/mysql 0700 mysql mysql
  /usr/lib/mysql/plugin/auth_pam_tool_dir 0700 mysql root"
 CFLAGS="-UNDEBUG"
 CXXFLAGS="-UNDEBUG"
+setuid="/usr/lib/mysql/plugin/auth_pam_tool_dir/auth_pam_tool"
 
 post_patch() {
 	case "$XBPS_TARGET_MACHINE" in

From c73a0de47fb6a920d4fc849fa77ac24ee221bbb3 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:47:46 +0100
Subject: [PATCH 19/58] spice-gtk: add $setuid

---
 srcpkgs/spice-gtk/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/spice-gtk/template b/srcpkgs/spice-gtk/template
index 3afa0268ee9f..dee6a7c8285c 100644
--- a/srcpkgs/spice-gtk/template
+++ b/srcpkgs/spice-gtk/template
@@ -22,6 +22,7 @@ homepage="https://spice-space.org"
 changelog="https://gitlab.freedesktop.org/spice/spice-gtk/-/raw/master/CHANGELOG.md"
 distfiles="https://spice-space.org/download/gtk/${pkgname}-${version}.tar.xz"
 checksum=d8f8b5cbea9184702eeb8cc276a67d72acdb6e36e7c73349fb8445e5bca0969f
+setuid="/usr/libexec/spice-client-glib-usb-acl-helper"
 
 CFLAGS="-Wno-error -Wno-error=unused-but-set-variable"
 

From eebac9f62fb9b3125a9571b784cae0be9e2d073f Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 00:49:24 +0100
Subject: [PATCH 20/58] uucp: add $setuid

---
 srcpkgs/uucp/template | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/uucp/template b/srcpkgs/uucp/template
index 2b2b6f758fae..3719a4820ea2 100644
--- a/srcpkgs/uucp/template
+++ b/srcpkgs/uucp/template
@@ -11,7 +11,13 @@ license="GPL-2.0-or-later"
 homepage="https://www.gnu.org/software/uucp/uucp.html"
 distfiles="${GNU_SITE}/$pkgname/$pkgname-$version.tar.gz"
 checksum=060c15bfba6cfd1171ad81f782789032113e199a5aded8f8e0c1c5bd1385b62c
-patch_args="-Np1"
+setuid="/usr/bin/uuname
+ /usr/bin/uuxqt
+ /usr/bin/uucp
+ /usr/bin/cu
+ /usr/bin/uux
+ /usr/bin/uucico
+ /usr/bin/uustat"
 
 system_accounts="_uucp"
 _uucp_homedir="/var/spool/uucp"

From bdd1dd20d0be42f1cfcb54dbe724299b94171651 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:31 +0100
Subject: [PATCH 21/58] dar: add $setuid

---
 srcpkgs/dar/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/dar/template b/srcpkgs/dar/template
index c289909e8122..979ec2f21d93 100644
--- a/srcpkgs/dar/template
+++ b/srcpkgs/dar/template
@@ -14,6 +14,7 @@ license="GPL-2.0-or-later"
 homepage="http://dar.linux.free.fr/"
 distfiles="${SOURCEFORGE_SITE}/dar/dar-${version}.tar.gz"
 checksum=3fea9ff9e55fb9827e17a080de7d1a2605b82c2320c0dec969071efefdbfd097
+setuid="/usr/bin/dar"
 
 if [ "$CROSS_BUILD" ]; then
 	configure_args+=" --with-gpgme-prefix=${XBPS_CROSS_BASE}/usr

From 4b56dd67bd93216087d795a811dd27504702b7ab Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 22:53:36 +0100
Subject: [PATCH 22/58] keybase: add $setuid

---
 srcpkgs/keybase/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/keybase/template b/srcpkgs/keybase/template
index 8db0a57472f7..708f116059d5 100644
--- a/srcpkgs/keybase/template
+++ b/srcpkgs/keybase/template
@@ -16,6 +16,7 @@ license="BSD-3-Clause"
 homepage="https://keybase.io/"
 distfiles="https://github.com/keybase/client/releases/download/v$version/keybase-v$version.tar.xz"
 checksum=5e89792105ce29420e92ebeaf8055db5e7d67de5e181f83f69904356ddeb8c71
+setuid="/usr/bin/keybase-redirector"
 
 post_install() {
 	vlicense LICENSE

From 11d5b382ec88dba7e10f89b47819b52931d4a413 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:33 +0100
Subject: [PATCH 23/58] dcron: add $setuid

---
 srcpkgs/dcron/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/dcron/template b/srcpkgs/dcron/template
index ab92850344ee..c0eabe30674e 100644
--- a/srcpkgs/dcron/template
+++ b/srcpkgs/dcron/template
@@ -11,6 +11,7 @@ changelog="https://raw.githubusercontent.com/dubiousjim/dcron/v${version}/CHANGE
 distfiles="https://github.com/dubiousjim/dcron/archive/v${version}.tar.gz"
 checksum=7c047194b9339b781971b000bf5512c11e856d20a14fe5323d5a1823f04c2a3f
 provides="cron-daemon-0_1"
+setuid="/usr/bin/dcrontab"
 
 alternatives="
  crond:crond:/etc/sv/dcron

From 7355c848584290f7b1eed2afe0a9902f3df4b79f Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 22:56:15 +0100
Subject: [PATCH 24/58] kbdlight: add $setuid

---
 srcpkgs/kbdlight/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/kbdlight/template b/srcpkgs/kbdlight/template
index 32bfec5560a5..4fb408d0dd3e 100644
--- a/srcpkgs/kbdlight/template
+++ b/srcpkgs/kbdlight/template
@@ -9,6 +9,7 @@ license="MIT"
 homepage="https://github.com/hobarrera/kbdlight"
 distfiles="https://github.com/hobarrera/${pkgname}/archive/v${version}.tar.gz"
 checksum=7d852d544f73e27245b7c21d820ede7c7c3e0992f37fb17cf257fd03e3926bb1
+setuid="/usr/bin/kbdlight"
 
 post_install() {
 	vlicense LICENCE

From ae038160ca5f1f0809c4f006dcacf04f1205652e Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:29 +0100
Subject: [PATCH 25/58] containers: add $setuid

---
 srcpkgs/containers/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/containers/template b/srcpkgs/containers/template
index 7f7ebc7f8178..b8509ce477fc 100644
--- a/srcpkgs/containers/template
+++ b/srcpkgs/containers/template
@@ -9,6 +9,8 @@ license="MIT"
 homepage="https://github.com/arachsys/containers"
 distfiles="https://github.com/arachsys/containers/archive/containers-${version}.tar.gz"
 checksum=5f43ffaf9bcfc73032cafeb94fe9596dcfa0b26f0bd2730656c3daa4341d9c02
+setuid="/usr/bin/contain
+ /usr/bin/pseudo"
 
 do_install() {
 	vbin inject inject-contain

From cbd1032e690eda7210d53570bc623a1005e7342b Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:34 +0100
Subject: [PATCH 26/58] fcron: add $setuid and $setgid

---
 srcpkgs/fcron/template | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/srcpkgs/fcron/template b/srcpkgs/fcron/template
index d3f8567f8927..e8cce723e24a 100644
--- a/srcpkgs/fcron/template
+++ b/srcpkgs/fcron/template
@@ -32,6 +32,12 @@ homepage="http://fcron.free.fr"
 distfiles="$homepage/archives/$pkgname-$version.src.tar.gz"
 checksum=f359daa08a63ddfb7fe2f964bb3f5c52244c25aa36f9225a3cc54d36f4681106
 
+setuid="/usr/bin/fcronsighup
+ /usr/bin/fcrondyn
+ /usr/bin/fcrontab"
+setgid="/usr/bin/fcrondyn
+ /usr/bin/fcrontab"
+
 alternatives="
  crond:crond:/etc/sv/fcron
  crond:crontab:/usr/bin/fcrontab

From 0dc5eb5a2f33f8aa1ded67c40d25ba15f224fe24 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:36 +0100
Subject: [PATCH 27/58] glusterfs: add $setuid

---
 srcpkgs/glusterfs/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/glusterfs/template b/srcpkgs/glusterfs/template
index 993fde9a321c..b293783cb34c 100644
--- a/srcpkgs/glusterfs/template
+++ b/srcpkgs/glusterfs/template
@@ -18,6 +18,7 @@ license="GPL-2.0-or-later, LGPL-3.0-only"
 homepage="https://www.gluster.org/"
 distfiles="https://download.gluster.org/pub/gluster/glusterfs/${version%.*}/${version}/${pkgname}-${version}.tar.gz"
 checksum=07f360c9b43cb1101a857706494e310328e9d6a4e6b2f0697a3bc3f165c2652a
+setuid="/usr/bin/fusermount-glusterfs"
 
 case "$XBPS_TARGET_MACHINE" in
 	*-musl) broken="not yet supported";;

From d6fe8a3f1809687c9d3efbe30dcd5aa47e84176b Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:55:28 +0100
Subject: [PATCH 28/58] Powermanga: add $setuid

---
 srcpkgs/Powermanga/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/Powermanga/template b/srcpkgs/Powermanga/template
index f3b9ef9faf3c..5c78aeb88302 100644
--- a/srcpkgs/Powermanga/template
+++ b/srcpkgs/Powermanga/template
@@ -11,6 +11,7 @@ license="GPL-3.0-or-later"
 homepage="http://linux.tlk.fr/games/Powermanga"
 distfiles="https://github.com/brunonymous/Powermanga/archive/${version}.tar.gz"
 checksum=010987a3cb27a1f9388a212f637977692284b5616952efa1efae09d2464e9249
+setgid="/usr/bin/powermanga"
 
 pre_configure() {
 	./bootstrap

From 8eb134f1d56b96df326611f34efd9647a7dfb2cf Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:29 +0100
Subject: [PATCH 29/58] cronie: add $setuid

---
 srcpkgs/cronie/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/cronie/template b/srcpkgs/cronie/template
index 3f8fbbcc4f30..c4315e9087c5 100644
--- a/srcpkgs/cronie/template
+++ b/srcpkgs/cronie/template
@@ -24,6 +24,7 @@ make_dirs="
 	/var/spool/anacron 0755 root root"
 conf_files="/etc/anacrontab /etc/pam.d/crond /etc/cron.deny"
 provides="cron-daemon-0_1"
+setuid="/usr/bin/cronie-crontab"
 
 alternatives="
  crond:crond:/etc/sv/cronie

From 913e018e7456247e17b0e07591b1dce186e8fcfd Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 00:55:39 +0100
Subject: [PATCH 30/58] xscreensaver: add $setuid

---
 srcpkgs/xscreensaver/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/xscreensaver/template b/srcpkgs/xscreensaver/template
index 581298ad5999..38de4a9f0642 100644
--- a/srcpkgs/xscreensaver/template
+++ b/srcpkgs/xscreensaver/template
@@ -18,6 +18,8 @@ homepage="https://www.jwz.org/xscreensaver/"
 changelog="https://www.jwz.org/xscreensaver/changelog.html"
 distfiles="https://www.jwz.org/xscreensaver/xscreensaver-${version}.tar.gz"
 checksum=f534fab85a836de5b8be8e91fc21b80ca7d6a4ed9386ebe207d4be7a4e7499a7
+setuid="/usr/libexec/xscreensaver/xscreensaver-auth
+ /usr/libexec/xscreensaver/sonar"
 
 pre_configure() {
 	mkdir -p /usr/share/X11/app-defaults

From 3457df51660e3f895e90f7dddf43fa9de3f26b11 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:40:45 +0100
Subject: [PATCH 31/58] pmount: add $setuid

---
 srcpkgs/pmount/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/pmount/template b/srcpkgs/pmount/template
index 8a826f4e0fe6..34b34d11d4af 100644
--- a/srcpkgs/pmount/template
+++ b/srcpkgs/pmount/template
@@ -12,6 +12,8 @@ homepage="http://pmount.alioth.debian.org/"
 distfiles="${DEBIAN_SITE}/main/p/${pkgname}/${pkgname}_${version}.orig.tar.bz2"
 checksum=db38fc290b710e8e9e9d442da2fb627d41e13b3ee80326c15cc2595ba00ea036
 conf_files="/etc/pmount.allow"
+setuid="/usr/bin/pmount
+ /usr/bin/pumount"
 
 post_patch() {
 	vsed -i -e 's/DATADIRNAME=lib/DATADIRNAME=share/' configure

From 907718b2c5cf31bbe0a293ec8386fc0bad24359d Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:33:54 +0100
Subject: [PATCH 32/58] lxc: add $setuid

---
 srcpkgs/lxc/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/lxc/template b/srcpkgs/lxc/template
index 40f9cf15b522..2ec773597a59 100644
--- a/srcpkgs/lxc/template
+++ b/srcpkgs/lxc/template
@@ -17,6 +17,7 @@ license="LGPL-2.1-or-later"
 homepage="https://linuxcontainers.org"
 distfiles="https://linuxcontainers.org/downloads/lxc/lxc-${version}.tar.gz"
 checksum=d8195423bb1e206f8521d24b6cde4789f043960c7cf065990a9cf741dcfd4222
+setuid="/usr/libexec/lxc/lxc-user-nic"
 
 conf_files="/etc/lxc/default.conf"
 make_dirs="

From 27d418a7cd7e1a5a7c98eea59ccc019191ea2919 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:33 +0100
Subject: [PATCH 33/58] dma: add $setuid and $setgid

---
 srcpkgs/dma/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/dma/template b/srcpkgs/dma/template
index 78c71595ec15..0e3a98865ec3 100644
--- a/srcpkgs/dma/template
+++ b/srcpkgs/dma/template
@@ -13,6 +13,8 @@ homepage="https://github.com/corecode/dma"
 distfiles="https://github.com/corecode/dma/archive/v${version}.tar.gz"
 checksum=9d4b903f2b750d888f51d668d08d2ea18404dedb0a52cffeb3c81376023c1946
 system_accounts="mail"
+setuid="/usr/lib/dma-mbox-create"
+setgid="/usr/bin/dma"
 
 provides="smtp-server-0_1 smtp-forwarder-0_1"
 replaces="smtp-server>=0 smtp-forwarder>=0"

From 1c7e1a48bd31ddab971cfcb16873c020552b4b04 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:50:52 +0100
Subject: [PATCH 34/58] xorg-server: add $setuid

---
 srcpkgs/xorg-server/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/xorg-server/template b/srcpkgs/xorg-server/template
index b4d24434a24f..b34cd8e256ff 100644
--- a/srcpkgs/xorg-server/template
+++ b/srcpkgs/xorg-server/template
@@ -30,6 +30,7 @@ provides="xserver-abi-extension-10_1 xserver-abi-input-24_1
  xserver-abi-video-25_1 xf86-video-modesetting-1_1"
 replaces="xf86-video-modesetting>=0 glamor-egl>=0"
 conf_files="/etc/X11/Xwrapper.config"
+setuid="/usr/libexec/Xorg.wrap"
 
 build_options="elogind"
 desc_option_elogind="Rootless Xorg support with elogind"

From 5c9b4543581a2f294c06f21c8534356847aaea85 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:36:31 +0100
Subject: [PATCH 35/58] opensmtpd: add $setuid and $setgid

---
 srcpkgs/opensmtpd/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/opensmtpd/template b/srcpkgs/opensmtpd/template
index ab0b2e6a10ab..b608b9707471 100644
--- a/srcpkgs/opensmtpd/template
+++ b/srcpkgs/opensmtpd/template
@@ -26,6 +26,8 @@ checksum=51bf05312fe56764748faab9e63170bfbb7c7d84a37c4117b62b2681eb3a4d17
 provides="smtp-forwarder-0_1 smtp-server-0_1"
 replaces="smtp-forwarder>=0 smtp-server>=0"
 system_accounts="_smtpd _smtpq"
+setuid="/usr/libexec/opensmtpd/lockspool"
+setgid="/usr/bin/smtpctl"
 
 CFLAGS=-D_DEFAULT_SOURCE
 

From 1d20ed721b722690b91b24eb4639b239325a87de Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 01:12:48 +0100
Subject: [PATCH 36/58] arcan: add $setuid

---
 srcpkgs/arcan/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/arcan/template b/srcpkgs/arcan/template
index 7be9652eccf3..4b3e49602fe5 100644
--- a/srcpkgs/arcan/template
+++ b/srcpkgs/arcan/template
@@ -29,6 +29,7 @@ distfiles="https://github.com/letoram/arcan/archive/${version}.tar.gz
  https://github.com/letoram/openal/archive/${_versionOpenal}.tar.gz>openal_arcan.${_versionOpenal}.tar.gz"
 checksum="7bf083412bc61555472877313c13116431a0a36fccbf142f97559db43b4a1475
  3a50a87c05b67c466a868cc77f8dc7f9cfc9466aeeafcd823daca0d108c504da"
+setuid="/usr/bin/arcan"
 
 export CMAKE_GENERATOR="Unix Makefiles"
 

From 3e5f51ea29f2560569bb448c6a6121261f8f4e6a Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:32 +0100
Subject: [PATCH 37/58] davfs2: add $setuid

---
 srcpkgs/davfs2/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/davfs2/template b/srcpkgs/davfs2/template
index 1a2f8482e210..85b44de231a4 100644
--- a/srcpkgs/davfs2/template
+++ b/srcpkgs/davfs2/template
@@ -13,6 +13,7 @@ license="GPL-3.0-or-later"
 homepage="https://savannah.nongnu.org/projects/davfs2"
 distfiles="${NONGNU_SITE}/${pkgname}/${pkgname}-${version}.tar.gz"
 checksum=ce3eb948ece582a51c934ccb0cc70e659839172717caff173f69a5e2af90c5c0
+setuid="/usr/bin/mount.davfs"
 
 CFLAGS="-fcommon"
 

From 640ba156b68e40a2910a88919e1f0db63c2a7801 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:36 +0100
Subject: [PATCH 38/58] hikari: add $setuid

---
 srcpkgs/hikari/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/hikari/template b/srcpkgs/hikari/template
index 64811ea08b14..a5ce6f5783c7 100644
--- a/srcpkgs/hikari/template
+++ b/srcpkgs/hikari/template
@@ -21,6 +21,7 @@ conf_files="/etc/pam.d/hikari-unlocker /etc/hikari/hikari.conf"
 # bmake's -q flag seems to differ in behavior from gnu make which causes the
 # build style's handling of the check target not existing to fail.
 make_check=no
+setuid="/usr/bin/hikari-unlocker"
 
 pre_build() {
 	# The hikari Makefile appends to the CFLAGS and LDFLAGS variables;

From 8360ba13fd0fad3a7a019c6d05806f841fd58765 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:48:49 +0100
Subject: [PATCH 39/58] squid: add $setuid

---
 srcpkgs/squid/template | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/srcpkgs/squid/template b/srcpkgs/squid/template
index 49b9eb9d7b91..9ae78bc3850a 100644
--- a/srcpkgs/squid/template
+++ b/srcpkgs/squid/template
@@ -58,6 +58,9 @@ checksum=6b0753aaba4c9c4efd333e67124caecf7ad6cc2d38581f19d2f0321f5b7ecd81
 system_accounts="squid"
 # squid-conf-tests requires a squid user in the system
 make_check=no
+setuid="/usr/libexec/squid/pinger
+ /usr/libexec/squid/basic_pam_auth
+ /usr/libexec/squid/basic_ncsa_auth"
 
 if [ "$XBPS_TARGET_NO_ATOMIC8" ]; then
 	makedepends+=" libatomic-devel"

From 1124cb66992cc3abfd5c0ec53c1659cf62012a77 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:33:19 +0100
Subject: [PATCH 40/58] libutempter: add $setgid

---
 srcpkgs/libutempter/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/libutempter/template b/srcpkgs/libutempter/template
index 3a89e4126cfc..793a5e8163cd 100644
--- a/srcpkgs/libutempter/template
+++ b/srcpkgs/libutempter/template
@@ -9,6 +9,7 @@ license="LGPL-2.1-or-later"
 homepage="http://freecode.com/projects/libutempter"
 distfiles="http://ftp.altlinux.org/pub/people/ldv/utempter/${pkgname}-${version}.tar.gz"
 checksum=967fef372f391de501843ad87570c6cf5dabd9651f00f1783090fbc12b2a34cb
+setgid="/usr/lib/utempter/utempter"
 
 libutempter-devel_package() {
 	depends="${sourcepkg}>=${version}_${revision}"

From 41a0fbdece00a08c09e5c9da722f15ea7266743b Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:44:09 +0100
Subject: [PATCH 41/58] qemu: add $setuid

---
 srcpkgs/qemu/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/qemu/template b/srcpkgs/qemu/template
index 48ab199e5686..d41ed5395b20 100644
--- a/srcpkgs/qemu/template
+++ b/srcpkgs/qemu/template
@@ -33,6 +33,7 @@ ignore_elf_dirs="/usr/share/qemu"
 nostrip_files="hppa-firmware.img openbios-ppc openbios-sparc32 openbios-sparc64
  palcode-clipper s390-ccw.img s390-netboot.img u-boot.e500 opensbi-riscv32-generic-fw_dynamic.elf
  opensbi-riscv64-generic-fw_dynamic.elf"
+setuid="/usr/libexec/qemu-bridge-helper"
 
 build_options="gtk3 opengl sdl2 spice virgl smartcard numa iscsi jack pulseaudio"
 build_options_default="opengl gtk3 virgl sdl2 numa iscsi jack pulseaudio"

From 571ea7855be96edcc9111beae7caad6c0204ab3f Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:37:52 +0100
Subject: [PATCH 42/58] plocate: add $setgid

---
 srcpkgs/plocate/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/plocate/template b/srcpkgs/plocate/template
index f288bcf8dd32..0017bbce0dd5 100644
--- a/srcpkgs/plocate/template
+++ b/srcpkgs/plocate/template
@@ -16,6 +16,7 @@ homepage="https://plocate.sesse.net/"
 changelog="https://git.sesse.net/?p=plocate;a=blob_plain;f=NEWS;hb=HEAD"
 distfiles="https://plocate.sesse.net/download/plocate-${version}.tar.gz"
 checksum=939657050b70719b01ce04fc1c8b64270062a0d53da2c72eafbe036a1964e12c
+setgid="/usr/bin/plocate"
 
 system_accounts="_plocate"
 

From 4b052b992f80bdae80938e8385f172c70788924f Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:01:21 +0100
Subject: [PATCH 43/58] electron19: add $setuid

---
 srcpkgs/electron19/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/electron19/template b/srcpkgs/electron19/template
index 068136be7623..06a3e6e0ef46 100644
--- a/srcpkgs/electron19/template
+++ b/srcpkgs/electron19/template
@@ -34,6 +34,7 @@ distfiles="https://github.com/electron/electron/archive/v$version.tar.gz>electro
 checksum="d8ee01db95dfe24aa89a67424498b67102a4977ff9a3ccbfbc3f36801fdba7d5
  f33363565a3c8868f5f67f0852ccf8d19ada209af8ddd4e27774e50206700464
  cc2331a5c35d3dda0035d9cba71c3b8e234bc68e18ffd955b385c1e97062528f"
+setuid="/usr/lib/electron19/chrome-sandbox"
 
 case "$XBPS_TARGET_MACHINE" in
 	ppc64*-musl) makedepends+=" libucontext-devel" ;;

From 43aa49083503c0b72a2c830b4e16c585eb25c785 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:01:38 +0100
Subject: [PATCH 44/58] firejail: add $setuid

---
 srcpkgs/firejail/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/firejail/template b/srcpkgs/firejail/template
index 0365d6044fec..e438bb88aa7a 100644
--- a/srcpkgs/firejail/template
+++ b/srcpkgs/firejail/template
@@ -14,5 +14,6 @@ changelog="https://github.com/netblue30/firejail/raw/master/RELNOTES"
 distfiles="https://github.com/netblue30/firejail/archive/${version}.tar.gz"
 checksum=fa641abe2f673cef304cee6ef0a8ddb69db7919e0b69752f89762a341a87fabc
 conf_files="/etc/firejail/* /etc/apparmor.d/local/firejail-default"
+setuid="/usr/bin/firejail"
 
 nocross=yes

From 9ff37c2acbf0edeac9950a17a480a16cb1948641 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:01:47 +0100
Subject: [PATCH 45/58] hiawatha: add $setuid

---
 srcpkgs/hiawatha/template | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/hiawatha/template b/srcpkgs/hiawatha/template
index 04377f40b88b..7f2887cc68fb 100644
--- a/srcpkgs/hiawatha/template
+++ b/srcpkgs/hiawatha/template
@@ -12,10 +12,11 @@ short_desc="Advanced and secure webserver for Unix"
 maintainer="Enno Boland <gottox@voidlinux.org>"
 license="GPL-2.0-or-later"
 homepage="https://hiawatha-webserver.org"
-distfiles="${homepage}/files/${pkgname}-${version}.tar.gz"
+distfiles="https://www.hiawatha-webserver.org/files/hiawatha-10/hiawatha-${version}.tar.gz"
 checksum=61bf41146c51244769984135529fcffd0f6cb92be18dc12d460effc42f19f50d
 conf_files="/etc/${pkgname}/*.conf /etc/${pkgname}/*.xslt"
 make_dirs="/var/log/hiawatha 0755 root root"
+setuid="/usr/bin/cgi-wrapper"
 
 post_install() {
 	vsv hiawatha

From 50e2acfb55e0e6ba16e0b901c46766af0c78bda7 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:10:26 +0100
Subject: [PATCH 46/58] kismet: add $setuid

---
 srcpkgs/kismet/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/kismet/template b/srcpkgs/kismet/template
index 48a0fc5fa6f1..b789aecc5a3e 100644
--- a/srcpkgs/kismet/template
+++ b/srcpkgs/kismet/template
@@ -18,6 +18,7 @@ homepage="https://www.kismetwireless.net/"
 distfiles="http://www.kismetwireless.net/code/${pkgname}-${_realver}.tar.xz"
 checksum=2149cceac5526508653f4d02dcf7a694e3da3dc000a2372a1ee4bf9988279781
 system_groups="kismet"
+setuid="/usr/bin/kismet_cap_rz_killerbee"
 
 if [ "$XBPS_TARGET_NO_ATOMIC8" ]; then
 	makedepends+=" libatomic-devel"

From 610306f2a020c41ce5431f0d899a07aeff22d8ef Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:17:32 +0100
Subject: [PATCH 47/58] schroot: add $setuid

---
 srcpkgs/schroot/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/schroot/template b/srcpkgs/schroot/template
index 36f6ee83b9a9..5204bffd1938 100644
--- a/srcpkgs/schroot/template
+++ b/srcpkgs/schroot/template
@@ -56,6 +56,8 @@ checksum="
  7bd4e0c2709979362c86a86c10d2b23d290d26e1a2d301a602e829327f483ec1"
 nocross=yes
 skip_extraction="schroot_${version}-${_debian_version}.debian.tar.xz"
+setuid="/usr/bin/schroot
+ /usr/bin/dchroot"
 
 post_extract() {
 	bsdtar -xf $XBPS_SRCDISTDIR/schroot-${version}/$skip_extraction

From bb02e93246a97e6848910593e062b2591d59c90e Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:17:51 +0100
Subject: [PATCH 48/58] x2goserver: add $setgid

---
 srcpkgs/x2goserver/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/x2goserver/template b/srcpkgs/x2goserver/template
index 0724ef53a2fa..83a7595d04fd 100644
--- a/srcpkgs/x2goserver/template
+++ b/srcpkgs/x2goserver/template
@@ -25,6 +25,7 @@ conf_files="
  /etc/x2go/x2goagent.*
  /etc/x2go/x2goserver.*
 "
+setgid="/usr/lib/x2go/libx2go-server-db-sqlite3-wrapper"
 
 post_install() {
 	rm -rf "${DESTDIR}/etc/logcheck"

From 5ab140e94a56ca645213d317f52e50c23600d01e Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:22:42 +0100
Subject: [PATCH 49/58] virtualbox-ose: add $setuid

---
 srcpkgs/virtualbox-ose/template | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/srcpkgs/virtualbox-ose/template b/srcpkgs/virtualbox-ose/template
index 4efc26f7da06..8ef1181930ce 100644
--- a/srcpkgs/virtualbox-ose/template
+++ b/srcpkgs/virtualbox-ose/template
@@ -30,6 +30,12 @@ fi
 
 depends="virtualbox-ose-dkms-${version}_${revision} hicolor-icon-theme desktop-file-utils dbus"
 system_groups="vboxusers"
+setuid="/usr/lib/virtualbox/VirtualBoxVM
+ /usr/lib/virtualbox/VBoxNetNAT
+ /usr/lib/virtualbox/VBoxHeadless
+ /usr/lib/virtualbox/VBoxNetDHCP
+ /usr/lib/virtualbox/VBoxNetAdpCtl"
+
 
 do_configure() {
 	cp ${FILESDIR}/LocalConfig.kmk .

From 54db7f4c933f1bedc4c8ec9094b92bf94bce1ed3 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Sun, 3 Apr 2022 22:50:24 -0400
Subject: [PATCH 50/58] at: explicitly allow setuid

---
 srcpkgs/at/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/at/template b/srcpkgs/at/template
index 41bc74404c48..652b1138759f 100644
--- a/srcpkgs/at/template
+++ b/srcpkgs/at/template
@@ -16,6 +16,8 @@ homepage="https://packages.qa.debian.org/a/at.html"
 distfiles="${DEBIAN_SITE}/main/a/${pkgname}/${pkgname}_${version}.orig.tar.gz"
 checksum=bb066b389d7c9bb9d84a35738032b85c30cba7d949f758192adc72c9477fd3b8
 disable_parallel_build=yes
+setuid="/usr/bin/at"
+setgid="/usr/bin/at"
 
 conf_files="/etc/at.deny"
 system_accounts="at"

From 2d3c6a7884f4de4a276f577c4dec686b15cb1380 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Sun, 3 Apr 2022 00:03:39 -0400
Subject: [PATCH 51/58] 9mount: explicitly allow setuid

---
 srcpkgs/9mount/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/9mount/template b/srcpkgs/9mount/template
index 5b1160ad2049..04817c3c3c42 100644
--- a/srcpkgs/9mount/template
+++ b/srcpkgs/9mount/template
@@ -10,6 +10,7 @@ license="ISC"
 homepage="http://sqweek.net/code/9mount/"
 distfiles="http://sqweek.net/9p/$pkgname-$version.tar.gz"
 checksum=820d80b9b478d05ecb022ad658477b37cfc2414a8669c3af17d192a522064c17
+setuid="/usr/bin/9mount /usr/bin/9umount /usr/bin/9bind"
 
 pre_build() {
 	sed -i '/chown/d' Makefile

From c78b9d21ae72d8b880369dece8547b386366810a Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Sat, 2 Apr 2022 22:20:53 -0400
Subject: [PATCH 52/58] xlockmore: explicitly allow setuid

Setuid root appears required by xlock on systems that use shadow passwords,
according to the README.

Requires confirmation
---
 srcpkgs/xlockmore/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/xlockmore/template b/srcpkgs/xlockmore/template
index 2cee0181924d..c9b9b1b0764e 100644
--- a/srcpkgs/xlockmore/template
+++ b/srcpkgs/xlockmore/template
@@ -15,6 +15,7 @@ changelog="http://sillycycle.com/xlock/xlockmore.README"
 distfiles="http://sillycycle.com/xlock/xlockmore-${version}.tar.xz"
 checksum=0118b2d4b28303c335426cd6ca844b4776e4b71adb1d344f2ec087b57616c21a
 CFLAGS="-D_DEFAULT_SOURCE"
+setuid="/usr/bin/xlock"
 
 build_options="opengl"
 desc_option_opengl="Enable OpenGL modes"

From d6f9faffcb4eac5ee22acaf75c90a87b8c6eb4c7 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Tue, 19 Apr 2022 20:46:33 -0400
Subject: [PATCH 53/58] util-linux: explicitly allow setuid

---
 srcpkgs/util-linux/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/util-linux/template b/srcpkgs/util-linux/template
index 2530c51d17b9..3aed9934beb5 100644
--- a/srcpkgs/util-linux/template
+++ b/srcpkgs/util-linux/template
@@ -23,6 +23,8 @@ license="GPL-2.0-or-later"
 homepage="https://www.kernel.org/pub/linux/utils/util-linux/"
 distfiles="${KERNEL_SITE}/utils/${pkgname}/v${version%.${version#*.*.}}/${pkgname}-${version}.tar.xz"
 checksum=60492a19b44e6cf9a3ddff68325b333b8b52b6c59ce3ebd6a0ecaa4c5117e84f
+setuid="/usr/bin/mount /usr/bin/umount /usr/bin/su /usr/bin/newgrp
+ /usr/bin/chsh /usr/bin/chfn"
 
 # Create uuidd system account for uuidd.
 system_accounts="_uuidd"

From 3beea24409efd71bafe2829858fa6fb6ce04f2d8 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Tue, 19 Apr 2022 21:27:55 -0400
Subject: [PATCH 54/58] shadow: explicitly allow setuid

---
 srcpkgs/shadow/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/shadow/template b/srcpkgs/shadow/template
index c59d92bfeb54..279cacf843be 100644
--- a/srcpkgs/shadow/template
+++ b/srcpkgs/shadow/template
@@ -18,6 +18,8 @@ homepage="https://github.com/shadow-maint/shadow"
 distfiles="${homepage}/releases/download/${version}/shadow-${version}.tar.xz"
 checksum=a3ad4630bdc41372f02a647278a8c3514844295d36eefe68ece6c3a641c1ae62
 conf_files="/etc/pam.d/* /etc/default/* /etc/login.defs"
+setuid="/usr/bin/passwd /usr/bin/gpasswd /usr/bin/expiry /usr/bin/chage
+ /usr/bin/sg /usr/bin/newuidmap /usr/bin/newgidmap"
 
 pre_configure() {
 	case "$XBPS_TARGET_MACHINE" in

From 961212bb3b8535e1e0ceb63f94eb37908d2e8cb2 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Tue, 19 Apr 2022 21:58:17 -0400
Subject: [PATCH 55/58] sudo: explicitly allow setuid

---
 srcpkgs/sudo/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/sudo/template b/srcpkgs/sudo/template
index f1278024f4ff..43d3088d0002 100644
--- a/srcpkgs/sudo/template
+++ b/srcpkgs/sudo/template
@@ -18,6 +18,7 @@ distfiles="https://www.sudo.ws/dist/sudo-${version}.tar.gz"
 checksum=b9a0b1ae0f1ddd9be7f3eafe70be05ee81f572f6f536632c44cd4101bb2a8539
 conf_files="/etc/pam.d/sudo /etc/sudoers"
 lib32disabled=yes
+setuid="/usr/bin/sudo"
 
 post_configure() {
 	case "$XBPS_TARGET_MACHINE" in

From 528ed53e42c5b1e335cb54496bafd6c16191ce35 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Tue, 19 Apr 2022 22:17:31 -0400
Subject: [PATCH 56/58] udevil: explicitly allow setuid

---
 srcpkgs/udevil/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/udevil/template b/srcpkgs/udevil/template
index b560bdf7589f..263d0a652102 100644
--- a/srcpkgs/udevil/template
+++ b/srcpkgs/udevil/template
@@ -13,6 +13,7 @@ license="GPL-3.0-or-later"
 homepage="http://ignorantguru.github.io/udevil/"
 distfiles="https://github.com/IgnorantGuru/udevil/archive/${version}.tar.gz"
 checksum=ad2fd8375bd62622718a04235e9772119459089938dbb78e657955e595822b7c
+setuid="/usr/bin/udevil"
 
 post_patch() {
 	vsed -i -e '/DATADIRNAME=/s/=.*/=share/' configure

From e08c73769d6e75b9d0e802e81f9c250edbd6445b Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Wed, 20 Apr 2022 15:37:20 -0400
Subject: [PATCH 57/58] thttpd: explicitly allow setuid

The makeweb tool needs sgid. However, thttpd is configured at compile time, and
it's unclear if our config (the default) allows usage of `makeweb`. That tool
also doesn't look like a superb thing to inconditionally ship in the main
package since it can't be configured by the system admin. Perhaps it should be
split into a subpackage?
---
 srcpkgs/thttpd/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/thttpd/template b/srcpkgs/thttpd/template
index 13de3fbef35e..3d288f2ea1cf 100644
--- a/srcpkgs/thttpd/template
+++ b/srcpkgs/thttpd/template
@@ -9,6 +9,7 @@ license="BSD-2-Clause"
 homepage="http://www.acme.com/software/thttpd/"
 distfiles="http://www.acme.com/software/thttpd/thttpd-${version}.tar.gz"
 checksum=99c09f47da326b1e7b5295c45549d2b65534dce27c44812cf7eef1441681a397
+setgid="/usr/bin/makeweb"
 
 pre_configure() {
 	vsed -i Makefile.in -e "s,-o bin -g bin,,g"

From 97bf7c974e97447266f35a7e600f2c8373b82982 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Wed, 20 Apr 2022 17:22:01 -0400
Subject: [PATCH 58/58] mit-krb5: explicitly allow setuid

---
 srcpkgs/mit-krb5/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/mit-krb5/template b/srcpkgs/mit-krb5/template
index a67bae19764a..8ba1a0ed56d5 100644
--- a/srcpkgs/mit-krb5/template
+++ b/srcpkgs/mit-krb5/template
@@ -42,6 +42,7 @@ post_install() {
 
 mit-krb5-client_package() {
 	short_desc+=" - client programs"
+	setuid="/usr/bin/ksu"
 	pkg_install() {
 		for f in uuclient ktutil kswitch gss-client kvno kinit kpasswd \
 			kdestroy sclient kadmin k5srvutil sim_client klist ksu; do