Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=819338 --- Comment #1 from Colin Walters <[email protected]> 2012-05-07 16:39:02 EDT --- Some concerns were raised about adding a new setuid binary. Basically, my thoughts on this are: * Conceptually this program doesn't allow a user to purely gain priviliges; it's a trade of ability to execute other setuid binaries for the ability to call chroot() and make bind mounts. So it's not like e.g. NetworkManager where the user formerly couldn't control the network, now they can. By the nature of the tool, it's only designed to *limit* privileges for the child it runs. For example, it allows callers to have no networking stack. * I believe this binary is will not be a part of a privilege escalation chain that's not possible to reach with any other setuid binary installed by default (/bin/mount, /usr/sbin/seunshare) for example. * We *could* offer a configure option to use PolicyKit but it'd be really invasive...I'd do it if this was blocked getting into Fedora, but the precedents of seunshare and mount exist. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ package-review mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-review
