>>>>> On Sun, 29 Jul 2018, Michael Orlitzky wrote: > System executables that are not owned by root pose a security > risk. The owner of the executable is free to modify it at any time; > so, for example, he can change a daemon's behavior to make it > malicious before the next time the service is started (usually by > root).
> On a "normal" system, there is no good reason why the superuser should > not own every system executable. This commit adds a new install-time > check that reports any such binaries with a QA warning. To avoid false > positives, non-"normal" systems (like prefix) are skipped at the moment. Shouldn't this check for setuid binaries like /usr/bin/mandb (which is owned by man:man)? I think these are legitimate usage case. Ulrich
pgptqtrJo8E1U.pgp
Description: PGP signature