On 07/29/2018 03:43 PM, Ulrich Mueller wrote:
> 
> Shouldn't this check for setuid binaries like /usr/bin/mandb (which is
> owned by man:man)? I think these are legitimate usage case.
> 

In general, yeah. I think we should be skeptical of setuid/gid
executables, but this isn't the right place to make that stand.

In this specific case, though, I don't see why that program is setuid.
In fact, I'm pretty sure it lets the "man" user gain root privileges.

Reply via email to