On 07/29/2018 03:43 PM, Ulrich Mueller wrote: > > Shouldn't this check for setuid binaries like /usr/bin/mandb (which is > owned by man:man)? I think these are legitimate usage case. >
In general, yeah. I think we should be skeptical of setuid/gid executables, but this isn't the right place to make that stand. In this specific case, though, I don't see why that program is setuid. In fact, I'm pretty sure it lets the "man" user gain root privileges.