Hello all, When installing programs with dpkg (and it's various frontends) you get no warning when a setuid or setgid file is installed. I would consider it desirable behaviour of dpkg to alert the user who's installing the package that it contains a setuid or setgid binary, the path of that binary, under what effective user or group it runs and it's md5 checksum. I think that this could increase the security of debian systems as it would result in the person who installs the package being alerted to the fact that it (the program he/she is installing) may introduce a security problem. Perhaps an interactive prompt (with an option to override this behaviour on the command-line) which asks if you would like to continue with the installation of the package even though it contains a setuid or setgid program would be appropiate behavior.
Is there any reason that this hasn't been added to dpkg's code? I don't think that it would require a change in the format of .deb packages. Does anyone have any thoughts on this matter? ------------- Joe Dollard [EMAIL PROTECTED]
