On Sat, Mar 05, 2005 at 03:34:58PM +0100, Christian Perrier wrote: > Security and release teams, may I have your advice about this suggestion?
> As you may know, I currently act as maintainer for the shadow package, > but I'm also aware of my own weaknesses when it comes at security (and > security-related) issues so I prefer getting the advice of more > competent people. > Given that installing login non setuid has been blessed for Ubuntu, > I'm inclined to follow the suggestion, but doing so close to a release > is maybe not wise.....so I'm seeking for advices..:-) Even when this feature was novel to me, I never found it useful. I wouldn't miss it, and obviously the security folks wouldn't; perhaps other people may, so it's probably reasonable to let such a change age in unstable for a bit to give them a chance to object and explain why this is actually useful (since no one else can think of a reason). -- Steve Langasek postmodern programmer > ----- Forwarded message from Martin Pitt <[EMAIL PROTECTED]> ----- > > Subject: Bug#298060: Please don't install login as setuid root > Reply-To: Martin Pitt <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Date: Fri, 4 Mar 2005 12:39:11 +0100 > From: Martin Pitt <[EMAIL PROTECTED]> > To: Debian Bug Tracking System <[EMAIL PROTECTED]> > > Package: login > Version: 1:4.0.3-30.9 > Severity: wishlist > Tags: patch > > Hi! > > /bin/login is currently installed setuid root, which is absolutely not > necessary and only a potential security threat. In Ubuntu we install > it as 0755 for ages now without any problems. > > Trivial patch, but for the record: > > http://patches.ubuntu.com/patches/shadow.login-nosuid.diff > > Please consider making this change for Debian, too. > > Thanks, > > Martin > > -- > Martin Pitt http://www.piware.de > Ubuntu Developer http://www.ubuntulinux.org > Debian GNU/Linux Developer http://www.debian.org > > > > ----- End forwarded message ----- > > -- > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
signature.asc
Description: Digital signature
