I agree with the previous posters. I have currently 29 suid binaries installed, including stuff like pulseaudio. I was asked for exactly zero of these if I would want them suid during installation.
Barring serious security holes in scponlyc, I think shipping it broken will decrease overall user security. Furthermore, I came across this bug by chance. It did not even occur to me that my shiny new Ubuntu might ship packages broken by default, so I tried figuring out my mistake. The time saved for the scponly users by not asking them about scponlyc is more than offset by the time spend by would-be scponlyc users trying to debug their setup. If you totally must ship scponly broken without asking the user (who btw specifically wanted that package. It is not like there are many packages which depend on scponly), please at least change the manpage to reflect that. I did not even find it mentioned in the documentation. Just add a "Due to security concerns, scponlyc is broken by default in Debian and Ubuntu. To use it run chmod u+s /usr/sbin/scponlyc." to the manpage. If it was documented behaviour, I doubt anyone here would be enraged by this bug. I should not have to visit the upstream site of a package to learn about problems of said package in my distribution. Then again, it would be probably more useful to complain about this bug to the Debian developers. -- scponlyc has SUID not set https://bugs.launchpad.net/bugs/51085 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
