On Mon, 25 Jan 2010 14:24, ans...@2008.43-1.org said: > Yes, that is fine with me. Changing the default may break assumptions > made by existing applications after all.
Of course we will not change the default. > It would be nice if the documentation could mention that libraries that > initialize gcrypt themselves should use this hack. Otherwise the That will never happen. This is totally bogus. If an application does not properly initialize libgcrypt it is in any case a severe error. However, Libgcrypt tries to minimize the bad effects of this and thus in general it works just fine. Dropping extended privileges is a part of this. > side effect of changing user ids is "inherited" by the library (which is > what was the problem here: the changing of user ids was inherited by > libnss-ldap via openldap and gnutls). Are you trying to tell us that there is an application with dependencies to libnss, openldap and gnutls and that one is intended to be run suid? Did you audit all that code and the way the code is used to be written properly in a way that the suid-ness is not exploitable? Given how hard it is to even write a small suid application I have severe doubts about the application and whether my proposed hack makes sense at all. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
