On Sun Dec 16, 2001 at 11:01:11PM -0600, Steve Fox wrote:

> > I do think an suid audit is in order, however some apps do need to be
> > suid. Two that come to mind that must be suid are openssh and gpg.
>
> Yes, this is extremely annoying that SSH is suid. The only reason it
> would ever need it is for rsh compatibility, which shouldn't even be
> allowed. Every time I upgrade openssh, I have to remember to un-suid the
> ssh binary in order for SSH to work through socks (Dante).

Sorry, this will never change. It is by the author's recommendation
that the binary is suid... if you want to fight with Theo about it,
feel free. But I warn you, he's not the nicest guy to have pissed off
at you.

IIRC, we removed the suid bit from ssh once and he yelled at us for
it, saying that it was broken. As a result, we no longer apply
unauthorized patches to openssh, we don't removed suid bits, and we
don't make any announcements about it without the development team's
approval of the text.

Sorry, but you're going to have to continue stripping it manually. It
isn't worth fighting with Theo over.

-- 
MandrakeSoft Security, OpenPGP key available on www.keyserver.net
1024D/FE6F2AFD   88D8 0D23 8D4B 3407 5BD7  66F9 2043 D0E5 FE6F 2AFD
Current Linux kernel 2.4.8-34.1mdk uptime: 27 days 7 hours 59 minutes.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org

iD8DBQE8HZEqIEPQ5f5vKv0RAhw0AJ4ifCQj2wHFd/hPBSnK2Lcca2dQXwCfUgoG BrAGTImL3sES8gR8O5fgmtM= =B5EW -----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]