On Wed, Oct 20, 2010 at 10:25 AM, Chris Palmer <[email protected]>wrote:
> On Mon, Oct 18, 2010 at 11:00 AM, Dianne Hackborn <[email protected]> > wrote: > > > There may be one or too very suid binaries, but that is all. > > And there is a CTS test to ensure that no new setuid binaries are created. > Here's the CTS code: http://android.git.kernel.org/?p=platform/cts.git;a=commit;h=accc6844267a59b122b6db7af62e0797bf2911c2 Note that it doesn't actually fail if a new SUID binary shows up. Rather, it just generates a report. I expect us to be taking a harder line against SUID binaries in future versions of Android. Many of the vulnerabilities we've found have been in SUID programs added by third parties. -- Nick -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
