sudo and changes in packaging guidelines
Horst H. von Brand
vonbrand at inf.utfsm.cl
Fri Apr 13 19:03:04 UTC 2012
Chris Adams <cmadams at hiwaay.net> wrote:
> Once upon a time, Adam Jackson <ajax at redhat.com> said:
> > On 4/13/12 2:37 PM, Frank Ch. Eigler wrote:
> > >
> > >>[...]
> > >>If your package meets the following criteria you MUST enable the PIE
> > >>compiler
> > >>flags:
> > >>[...]
> > >> * Your package runs as root.
> > >>[...]
> > >
> > >If this is meant to cover administrative binaries that have no
> > >privilege escalation pieces of their own, merely run by root, then
> > >what makes them different from any other /bin/* program that a root
> > >process might invoke?
> >
> > It's not meant to cover that. That phrasing is meant to cover system
> > components like init that do not function _unless_ run as uid 0.
>
> How about adding an "only" to the sentence then, like:
>
> * Your package runs only as root.
Nope. A program running as SGID games (or any other "different than the
user starting it" or "needs any special privileges") should be included
here.
--
Dr. Horst H. von Brand User #22616 counter.li.org
Departamento de Informatica Fono: +56 32 2654431
Universidad Tecnica Federico Santa Maria +56 32 2654239
Casilla 110-V, Valparaiso, Chile 2340000 Fax: +56 32 2797513
More information about the devel
mailing list