sudo and changes in packaging guidelines
Chris Adams
cmadams at hiwaay.net
Fri Apr 13 19:44:32 UTC 2012
Once upon a time, Horst H. von Brand <vonbrand at inf.utfsm.cl> said:
> Chris Adams <cmadams at hiwaay.net> wrote:
> > Once upon a time, Adam Jackson <ajax at redhat.com> said:
> > > On 4/13/12 2:37 PM, Frank Ch. Eigler wrote:
> > > >
> > > >>[...]
> > > >>If your package meets the following criteria you MUST enable the PIE
> > > >>compiler
> > > >>flags:
> > > >>[...]
> > > >> * Your package runs as root.
> > > >>[...]
> > > >
> > > >If this is meant to cover administrative binaries that have no
> > > >privilege escalation pieces of their own, merely run by root, then
> > > >what makes them different from any other /bin/* program that a root
> > > >process might invoke?
> > >
> > > It's not meant to cover that. That phrasing is meant to cover system
> > > components like init that do not function _unless_ run as uid 0.
> >
> > How about adding an "only" to the sentence then, like:
> >
> > * Your package runs only as root.
>
> Nope. A program running as SGID games (or any other "different than the
> user starting it" or "needs any special privileges") should be included
> here.
That is already not covered under the particular rule in question (I
believe it was covered under another rule). I was only suggesting a
clarification of the "runs as root" rule.
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the devel
mailing list