>>>>> On Sun, 29 Jul 2018, Michael Orlitzky wrote:

> System executables that are not owned by root pose a security
> risk. The owner of the executable is free to modify it at any time;
> so, for example, he can change a daemon's behavior to make it
> malicious before the next time the service is started (usually by
> root).

> On a "normal" system, there is no good reason why the superuser should
> not own every system executable. This commit adds a new install-time
> check that reports any such binaries with a QA warning. To avoid false
> positives, non-"normal" systems (like prefix) are skipped at the moment.

Shouldn't this check for setuid binaries like /usr/bin/mandb (which is
owned by man:man)? I think these are legitimate usage case.

Ulrich

Attachment: pgptqtrJo8E1U.pgp
Description: PGP signature

Reply via email to