Security and release teams, may I have your advice about this suggestion? As you may know, I currently act as maintainer for the shadow package, but I'm also aware of my own weaknesses when it comes at security (and security-related) issues so I prefer getting the advice of more competent people.
Given that installing login non setuid has been blessed for Ubuntu, I'm inclined to follow the suggestion, but doing so close to a release is maybe not wise.....so I'm seeking for advices..:-) ----- Forwarded message from Martin Pitt <[EMAIL PROTECTED]> ----- Subject: Bug#298060: Please don't install login as setuid root Reply-To: Martin Pitt <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Date: Fri, 4 Mar 2005 12:39:11 +0100 From: Martin Pitt <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Package: login Version: 1:4.0.3-30.9 Severity: wishlist Tags: patch Hi! /bin/login is currently installed setuid root, which is absolutely not necessary and only a potential security threat. In Ubuntu we install it as 0755 for ages now without any problems. Trivial patch, but for the record: http://patches.ubuntu.com/patches/shadow.login-nosuid.diff Please consider making this change for Debian, too. Thanks, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian GNU/Linux Developer http://www.debian.org ----- End forwarded message ----- -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
