The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: suid programs and security

-----BEGIN PGP SIGNED MESSAGE-----

On 17 Feb 1997, Manoj Srivastava wrote:

> Fabien> I had done some big administration on my system this weekend
> Fabien> and find a lot of programs who dont register their suid bits
> Fabien> throw suidregister (especially games). This should be a must
> Fabien> on the distribution, as for a check option on suidregister who
> Fabien> check not register suid programs. 
> 
> 	Could we have a discussion of this on debian devel *before*
>  this is made a requirement? Why is suidregister a good idea? Are
>  there alternative methods? Are there opposing viewpoints?
> 
> 	Pardon me if I have just missed all the discussion and the
>  decision to go with suid register (but if there was such a decision,
>  it should be reflected in the policy guide).

You didn't miss nothing... I'm sorry if people misunderstand me. What I 
mean is I find that we should use suidregister in place of putting in 
binary because:
1) suidregister is a good service that can really help to check some suid 
programs.  
2) is easy to use and don't blur anything. It increases the size of 
suid.conf but suid programs should be something rare, isn't it? 
3) Using it can really and made some gradual changes to the installation 
mecanism (eg: putting some warning when installing a suid program who 
don't suidregister themselve...) can really improve the security of
Debian.

I really think people can feel better if they know where to find easily 
suid programs installed by the system and ( by a simple wrapper as I 
suggest ) be warned (or asked, or mailed, or whatever they want).

> 	I have a feeling that way too many policy decisions are being
>  made either offline or unilaterally by maintainers of utility
>  packages, and while I'm on the soapbox, I think that people are
>  largely ignoring the policy of asking on debian-devel *first* before
>  uploading totally new packages.
> 

I didn't feel I have some authority to establish standard :) and 
suidregister are already use by some packages. I don't know who made it 
but I think it may be Ian cause dpkg are supposed to respect it 
(according to the man page). Or may be I misunderstand what you try to 
reproch me ?

Sincerely,
Fabien

- ---------------------------------------------------------------------
 "Our policy is, when in doubt, do the right thing."   
                                          -- Roy L Ash
- ---------------------------------------------------------------------
Fabien Ninoles aka le Veneur aka le Corbeau     
E-mail: fab@tzone.org
WebPage: http://www-edu.gel.usherb.ca/ninf01 
E-mail me with "get pgp key" in the subject to get my public key
PGP KEY [E3723845]: 1C C1 4F A6 EE E5 4D 99  4F 80 2D 2D 1F 85 C1 70 
- ----------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMwoFw1X6fc7jcjhFAQGOUAP/TM7ph58FVgWfTl1K6QyGKLrplsk7xMDr
TOCTz0s/YNLgL6LJ/ok6BZDpuxyck1lYdqvrYh9n88EIMMHMyDxSeUnHcwu1fXsr
4LQsNCCOYjjsj++hMJBvk2pOkYu9dHob9Y14b0aomEbgocGW7HS7DxsmJbJjEZnO
YCiE0B+iU3w=
=8bA1
-----END PGP SIGNATURE-----


--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com