cvs commit: ports/audio/arts Makefile
Wesley Morgan
morganw at chemikals.org
Wed Mar 3 13:34:25 PST 2004
On Wed, 3 Mar 2004, Jacques A. Vidrine wrote:
> On Tue, Mar 02, 2004 at 12:52:50PM -0500, Will Andrews wrote:
> > On Tue, Mar 02, 2004 at 11:50:29AM -0600, Jacques A. Vidrine wrote:
> > > I have no intention. However, for ports that do not require the
> > > set-user-ID bit in order to function (and this is demonstrably true
> > > with arts), I would like not to install with set-user-ID by default.
> >
> > Then we disagree on the definition of "function". I do not think
> > there is any reason to believe that the setuid bit on artswrapper
> > is a threat to anybody. So let it be.
>
> Yes, we disagree. I believe that artswrapper *could* be a threat, or I
> wouldn't be here.
>
> As I said previously, I have witnessed several instances where other
> operating systems distributed packages that contained set-user-ID binaries,
> and it became a security issue. Because we (FreeBSD Project) are not
> so reckless, we distribute the exact same packages but without the
> set-user-ID set. Result: The other OSs have security bugs that we
> don't.
IMO any port that wishes to install a suid binary by default should be
required to get approval from the FreeBSD Security Team, and their
decisions, not the port maintainers, be final in cases where it is
optional. This in addition to any prominent warnings about suid binaries
deemed necessary.
--
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!
More information about the cvs-all
mailing list