On Tue Feb 05, 2002 at 11:38:48PM -0600, Bryan Paxton wrote: [...]
> Like I said, ssh really doesn't need to be setuid either, unless you > specifically need to use rhost auth, but refer above for all that info. > > This is arguable, but I think the sane and logical choice to make is to > strip all these of their setuid bits. We did, at one time, strip the setuid bit from ssh but the openssh team yelled at us (specifically, Theo yelled at me). I think we'll keep the setuid bit on ssh. =) Anyone who's had that happen to them doesn't want a repeat performance and, unfortunately, Theo and Markus both come to me know when there are any anomolies in our openssh packages... =) -- MandrakeSoft Security, OpenPGP key available on www.keyserver.net 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD Current Linux kernel 2.4.8-34.1mdk uptime: 14 days 4 hours 42 minutes.
msg53732/pgp00000.pgp
Description: PGP signature
