On 07/29/2018 03:43 PM, Ulrich Mueller wrote: > >> On a "normal" system, there is no good reason why the superuser should >> not own every system executable. This commit adds a new install-time >> check that reports any such binaries with a QA warning. To avoid false >> positives, non-"normal" systems (like prefix) are skipped at the moment. > > Shouldn't this check for setuid binaries like /usr/bin/mandb (which is > owned by man:man)? I think these are legitimate usage case. >
After thinking about this for a while, I think we should ignore setgid but not setuid executables. The problem with setuid and a non-root owner is that the owner can always exploit the situation: Suppose /bin/foo is owned by "foo" and setuid. If root (or any other privileged user) is about to run /bin/foo, then the "foo" user can simply strip away the setuid bit and fill /bin/foo with malicious code. The same situation with setgid is safe because (as far as I know) members of the group can't strip off the setgid bit.