On Tue, Feb 9, 2021 at 6:02 PM Michael Orlitzky <m...@gentoo.org> wrote:
> On Tue, 2021-02-09 at 17:53 -0800, Fāng-ruì Sòng wrote: > > (I replied via > https://groups.google.com/g/linux.gentoo.dev/c/WG-OLQe3yng > > "Reply all" (which only replied to the list AFAICT) but I did not > > subscribe to gentoo-dev via the official > > https://www.gentoo.org/get-involved/mailing-lists/ so my reply is > > missing) > > > > Apologies for hijacking your post with a tangential question, but you > reminded me to ask: how did you notice this problem? Ultimately all > system executables (in $PATH) should be owned by (and writable only by) > root anyway; otherwise you get silly security vulnerabilities like "cat > ~/virus > /usr/bin/foo" as a regular user. > > > Root is the owner but often there is also a group that has access to the files. After stripping with llvm-strip, new ownership is root:root instead of root:<group>. Therefore, the members of the group lose access to the files post stripping. We found this issue in Chrome OS when we tried to switch the defaults to llvm's objcopy/strip. Example of ebuilds: $ grep -ri fowners .|grep bin|grep usr|tail -10 ./net-analyzer/tcpdump/tcpdump-4.9.3-r4.ebuild: fowners root:pcap /usr/sbin/tcpdump ./net-analyzer/tcpdump/tcpdump-4.99.0.ebuild: fowners root:pcap /usr/sbin/tcpdump ./net-analyzer/netselect/netselect-9999.ebuild: fowners root:wheel /usr/bin/netselect ./net-analyzer/netselect/netselect-0.4-r1.ebuild: fowners root:wheel /usr/bin/netselect ./net-analyzer/driftnet/driftnet-1.3.0.ebuild: fowners root:wheel "/usr/bin/driftnet" ./mail-filter/procmail/procmail-3.22-r14.ebuild: fowners root:mail /usr/bin/lockfile ./sys-block/scsiadd/scsiadd-1.97-r1.ebuild: fowners root:scsi /usr/sbin/scsiadd ./x11-terms/aterm/aterm-1.0.1-r4.ebuild: fowners root:utmp /usr/bin/aterm ./x11-terms/mrxvt/mrxvt-0.5.4.ebuild: fowners root:utmp /usr/bin/mrxvt ./games-arcade/xboing/xboing-2.4-r3.ebuild: fowners root:gamestat /var/games/xboing.score /usr/bin/xboing Thanks, Manoj
