Package: gnunet-server Version: 0.9.3-2 The gnunet-helper-fs-publish binary is provided set-UID root by the package, which (as per upstream, see below) is unnecessary. Apart from raising security concerns, it also precludes gnunet-publish(1) from running when GNUnet itself runs under an “ordinary” user (as opposed to a dedicated, “system” one.)
My reading of debian/gnunet-server.postinst (as of b3ea4f34, quoted below) is that the issue is likely to be present in the yet unreleased 0.9.3-4 version of the package. --cut: gnunet/debian/gnunet-server.postinst -- 81 for file in /usr/bin/gnunet-helper-exit \ 82 /usr/bin/gnunet-helper-fs-publish \ 83 /usr/bin/gnunet-helper-nat-client \ 84 /usr/bin/gnunet-helper-nat-server \ 85 /usr/bin/gnunet-helper-transport-wlan \ 86 /usr/bin/gnunet-helper-vpn 87 do 88 # only do something when no setting exists 89 if ! dpkg-statoverride --list $file >/dev/null 2>&1 && [ -e $file ] 90 then 91 chown root:${_GROUPNAME} $file 92 chmod 4754 $file 93 fi 94 done --cut: gnunet/debian/gnunet-server.postinst -- Could this please be rectified? TIA. >>>>> Christian Grothoff <groth...@in.tum.de> writes: >>>>> On 10/21/2012 08:42 AM, Ivan Shmakov wrote: […] >> • A number of binaries (as per the gnunet-server 0.9.3-2 Debian >> package) come set-UID root: >> gnunet-helper-dns >> gnunet-helper-exit >> gnunet-helper-fs-publish >> gnunet-helper-nat-client >> gnunet-helper-nat-server >> gnunet-helper-transport-wlan >> gnunet-helper-vpn > Ugh, gnunet-helper-fs-publish should NOT be SUID! That's a serious > bug in the Debian package, please report it to Debian! […] -- FSF associate member #7257 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org