Hello all, Section 4.9 of the Debian policy manual specifically permits deviance from the defined behavior when necessary; however, I would like to discuss a situation not contemplated by that section.
The situation is this. There is a mailing list management program that needs to run setuid to its particular uid (created by adduser in postinst). It also ought to run setgid to its particular gid (again, created by adduser in postinst.) It is intended to be run only by a MTA, and as a security precaution (since it is setuid/setgid), it is best not to let anyone execute it (also, it would be very easy to forge messages that way.) My curent solution is to have it owned by user listar, group daemon, mark it setuid and group executable, with no user execute permissions. This is OK (the MTA runs as group daemon), but the problem is that it cannot be setgid to the appropriate gid in this situation. The solution that I have come up with is to create a special directory in its /usr/lib area: drwxrwx--- listar.daemon restricted-executables/ Then, in there, have the binary: -rwsrwsr-x listar.listar listar How does that sound to everyone? This achieves appropriate security (only executable by MTAs [technically, the daemon group]) but still stuid and stgid appropriately. The downside is that the 4.9 doctrine is that people should be given read access as much as possible, but that isn't really possible here. The world-readable and -executable bits on the binary don't make a different to others; they can't even get to that area. Thanks, John
