Historical bug tracker for the Pacman package manager.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
FS#17000 - Alert when suid binaries are installed
Attached to Project:
Pacman
Opened by Phillip Smith (fukawi2) - Wednesday, 04 November 2009, 05:37 GMT
Last edited by Andrew Gregory (andrewgregory) - Friday, 04 December 2015, 00:05 GMT
Opened by Phillip Smith (fukawi2) - Wednesday, 04 November 2009, 05:37 GMT
Last edited by Andrew Gregory (andrewgregory) - Friday, 04 December 2015, 00:05 GMT
|
DetailsSimilar to FreeBSD ports, when a suid binary is installed, an alert is shown to the user:
===> SECURITY NOTE: This port has installed the following binaries which execute with increased privileges. Could pacman do a similar thing to assist administrators in keeping an eye on security? Especially when AUR packages are installed which could be hiding something nefarious... |
This task depends upon
Closed by Andrew Gregory (andrewgregory)
Friday, 04 December 2015, 00:05 GMT
Reason for closing: Won't implement
Additional comments about closing: Use a hook.
Friday, 04 December 2015, 00:05 GMT
Reason for closing: Won't implement
Additional comments about closing: Use a hook.
Seriously now, it sounds ok and doable.
If the pacman master (== Dan) thinks it is a good idea, I could look how to implement.
2. If we travel down the security path, we might be going into a rabbit hole where we are going to have to implement 10x more of these features (e.g. non-root file in /etc/, directory sticky bits, etc.)
3. You probably shouldn't have brought the AUR into the report, Xavier knows my love for things like yaourt. Considering pacman is a binary package manager and ports is a source package tool, are we comparing apples to apples here?
> ls -l $(which ping)
-rwsr-xr-x 1 root root 31020 2008-10-04 22:19 /bin/ping
I am of the opinion that this is not an issue that pacman should solve. Pacman installs and tracks packages. It does not check what it installs and that is not its job.
Should it be a makepkg issue? There is now a check_package routine that does some basic package checking but I do not want makepkg to become a full package checking utility. Currently the checking is limited to checking for references to $srcdir (namcap can not do that) and that backup files are in the package (hmm... namcap could do that...). So I say not a makepkg issue either.
That leaves nothing pacman related! :P
Dan -> ports does both the source and binary management, and this notice comes up during the install (ie, binary) stage. So it's kind of an apples to apple pies comparison :P
Allan -> Point taken regarding potential for bug reports on things like ping! Perhaps either:
1) Make it configurable in pacman.conf, with default being 'off'
2) Word it a little less strongly than FreeBSD ports does. Make it a 'notice' rather than a 'warning'?