New issue by paper42 on void-packages repository

https://github.com/void-linux/void-packages/issues/32156

Description:
There are no checks for setuid and setgid permissions right now which could potentially be a security risk.

a) `setugid=yes` allows both setuid and setgid permissions in all files in the package
b) `setugid="usr/bin/su"` per-file rules

split setuid and setgid rules
c) `setuid=yes; setgid=yes`
d) `setuid="usr/bin/su"; setgid=""`

I will prepare a post-install hook when it's decided which method is preferred. I like c) the most, because there are some packages providing just setgid binaries without needing setuid (mlocate). b) and d) sound too verbose to me and if a package provides a set{u,g}id binary, the whole package is trusted.

I would also like to ask someone with access to the binary repository to post here which packages have set{u,g}id binaries.

cc @ericonr