LEE, Yui-wah (Clement) writes ("Re: A question on setting setuid bit"):
> This is an experimental package that we built and
> evaluate internally (up to this moment). The program
> that needs setuid is a cgi-bin program that is invoked
> by apache2, which runs as a regul
Le vendredi 07 juillet 2006 à 23:54 +0200, Javier Fernández-Sanguino
Peña a écrit :
> I can do the security risk analysis for you: granting remote root through a
> web
> server application is a recipe for disaster, those tactics where (or should
> have been) abandoned ages ago.
Unfortunately web
LEE, Yui-wah (Clement) writes ("Re: A question on setting setuid bit"):
> This is an experimental package that we built and
> evaluate internally (up to this moment). The program
> that needs setuid is a cgi-bin program that is invoked
> by apache2, which runs as a regul
Hi,
Thanks for articulating the risk. We will address it
later. The machines involved are experimental
prototypes not production machines.
Clement
On Fri, 7 Jul 2006, Javier [iso-8859-1] Fern嫕dez-Sanguino Pe鎙 wrote:
> On Fri, Jul 07, 2006 at 04:42:47PM -0400, LEE, Yui-wah (Clement) wrote:
> >
On Fri, Jul 07, 2006 at 04:42:47PM -0400, LEE, Yui-wah (Clement) wrote:
> Hi,
>
> This is an experimental package that we built and
> evaluate internally (up to this moment). The program
> that needs setuid is a cgi-bin program that is invoked
> by apache2, which runs as a regular user www-data.
Hi,
This is an experimental package that we built and
evaluate internally (up to this moment). The program
that needs setuid is a cgi-bin program that is invoked
by apache2, which runs as a regular user www-data. The
cgi-bin program however needs to interact with
iptables.
I know setuid program
LEE, Yui-wah (Clement) writes ("A question on setting setuid bit"):
> I am building a package in which one of the binary has
> to have the setuid and setgid bits set. I wonder which
> one of the following two is the more appropriate method
> to use?
Forgive my scepticism, but which package, and w
On Thu, Jul 06, 2006 at 11:13:30AM +0200, Thibaut Paumard wrote:
> Le jeudi 06 juillet 2006 à 07:36 +1000, Matthew Palmer a écrit :
> [about suid bits]
> > My personal preference would be for the maintainer to just take a stand, set
> > it or not, and let people who actually know what's going on to
Hi,
Thanks for all the responses. I finally settled with
the suggestion of Matt ("install" with right
permission, and then use "dh_fixperms -X" to exclude these
files's permissions from being reset to Debian's
default values).
Thanks!
Clement
On Wed, 5 Jul 2006, Matthew Palmer wrote:
> The co
Thibaut Paumard <[EMAIL PROTECTED]> wrote:
> Le jeudi 06 juillet 2006 à 07:36 +1000, Matthew Palmer a écrit :
> [about suid bits]
>> My personal preference would be for the maintainer to just take a stand, set
>> it or not, and let people who actually know what's going on to use
>> dpkg-statoverri
On Thu, Jul 06, 2006 at 11:13:30AM +0200, Thibaut Paumard wrote:
> In that case, does it make sense to prompt the admin once from the
> postinst script with a message such as:
> "Warning: from installed with suid bit. If
> this is unacceptable at your site, use dpkg-statoverride to clear this
>
Le jeudi 06 juillet 2006 à 07:36 +1000, Matthew Palmer a écrit :
[about suid bits]
> My personal preference would be for the maintainer to just take a stand, set
> it or not, and let people who actually know what's going on to use
> dpkg-statoverride to fix the problem to their satisfaction. (This
On Wed, Jul 05, 2006 at 09:36:37AM +0100, Steve Kemp wrote:
> On Tue, Jul 04, 2006 at 08:37:52PM -0400, LEE, Yui-wah (Clement) wrote:
>
> > I am building a package in which one of the binary has
> > to have the setuid and setgid bits set. I wonder which
> > one of the following two is the more ap
On Wed, Jul 05, 2006 at 04:02:43AM -0400, sean finney wrote:
>On Wed, Jul 05, 2006 at 04:39:12PM +1000, Matthew Palmer wrote:
>> dpkg-statoverride is a tool for the system administrator to specify a
>> different mode or ownership for a file to that which is provided in the
>> package. It is not me
On Wed, Jul 05, 2006 at 03:25:37PM +0200, Tollef Fog Heen wrote:
> | On Wed, Jul 05, 2006 at 04:39:12PM +1000, Matthew Palmer wrote:
> | > dpkg-statoverride is a tool for the system administrator to specify a
> | > different mode or ownership for a file to that which is provided in the
> | > packag
* sean finney
| On Wed, Jul 05, 2006 at 04:39:12PM +1000, Matthew Palmer wrote:
| > dpkg-statoverride is a tool for the system administrator to specify a
| > different mode or ownership for a file to that which is provided in the
| > package. It is not meant to be used by the package.
|
| there
On Tue, Jul 04, 2006 at 08:37:52PM -0400, LEE, Yui-wah (Clement) wrote:
> I am building a package in which one of the binary has
> to have the setuid and setgid bits set. I wonder which
> one of the following two is the more appropriate method
> to use?
It looks like you've got the answer to t
On Wed, Jul 05, 2006 at 04:39:12PM +1000, Matthew Palmer wrote:
> dpkg-statoverride is a tool for the system administrator to specify a
> different mode or ownership for a file to that which is provided in the
> package. It is not meant to be used by the package.
there are cases where it's approp
On Wed, Jul 05, 2006 at 07:34:02AM +0200, Bartosz Fenski aka fEnIo wrote:
> On Tue, Jul 04, 2006 at 08:37:52PM -0400, LEE, Yui-wah (Clement) wrote:
> > I am building a package in which one of the binary has
> > to have the setuid and setgid bits set. I wonder which
> > one of the following two is
Bartosz Fenski aka fEnIo skrev:
3. Use dpkg-statoverride in your postinst script.
Don't do this, just ship the file in the package with the correct
permissions. dpkg-statoverride is (mostly) an admin tool which lets you
change default permissions.
See http://lists.debian.org/debian-devel/
On Tue, Jul 04, 2006 at 08:37:52PM -0400, LEE, Yui-wah (Clement) wrote:
> I am building a package in which one of the binary has
> to have the setuid and setgid bits set. I wonder which
> one of the following two is the more appropriate method
> to use?
>
> 1. Use "install -m 6755 " in the insta
21 matches
Mail list logo
