New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hooks/post-install: add check setuid/setgid hook #33011
base: master
Are you sure you want to change the base?
Conversation
4fb1426
to
0a2b7cd
Compare
If we'll need an xlint for the set{u,g}id, would it make sense to have it require an explanatory comment (like for |
Going through the list, there's some odd ones I'm not sure what to do with
There's also some packages I barely comprehend in the first place and will not attempt to allow/fix
Packages I can tell need setuid/setgid are being marked as allowed and pushed to I'll be making PRs to void-packages directly for packages that appear to not need suid/sgid, as was the case for vpsm: #36489. I'll list those here if there's more. |
I don't think we should require a comment. If something is not obvious, we can always add the comment. |
0a2b7cd
to
9b1d04d
Compare
fi | ||
done | ||
if [ -n "$matched" ]; then | ||
echo "$2 file: ${setidfile#$PKGDESTDIR}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I observe in other hooks that printed text tends to be prefixed by 3 spaces. Should that be the case for that print?
In 0x5c@9cd5290 I allowed thttpd's |
|
9b1d04d
to
64492fa
Compare
dd42f6d
to
97bf7c9
Compare
Setuid root appears required by xlock on systems that use shadow passwords, according to the README. Requires confirmation
The makeweb tool needs sgid. However, thttpd is configured at compile time, and it's unclear if our config (the default) allows usage of `makeweb`. That tool also doesn't look like a superb thing to inconditionally ship in the main package since it can't be configured by the system admin. Perhaps it should be split into a subpackage?
97bf7c9
to
f889f1e
Compare
I don't think that 9cb2e7b is safe to have, considering that that sgid is supposed to be for group |
For electron's |
Closes #32156
cc @ericonr