Hello, I received the following bug report about fdutils a while ago, but haven't had time to deal with it yet. Basically, the bug reporter is concerned that the suid'ed fdmount could be insecure, because fdmount's manpage warns the user not to rely on it being secure.
So far, my suid'ed fdmount hasn't given me any trouble, and the upstream defaults to suid'ing it, and I haven't heard any security warnings from CERT (?) etc. either. However, I have to admit that I do not know that much about security. As the Slink deep freeze and release are impending, I would like to ask your advice: Should I follow the suggestion given by the bug reporter Thomas Roessler? If so, should I fix this bug before Slink is out? I am kind of busy with school now and would like to put it off till the holiday, but if all of you experienced developers feel that it is urgent, I will try to fix it before Slink is released. Thanks again. :-) I have attached the bug report below. Cheers, Anthony Package: fdutils; Reported by: Thomas Roessler <[EMAIL PROTECTED]>; dated Thu, 24 Sep 1998 15:33:01 GMT; Maintainer for fdutils is Anthony Fok <[EMAIL PROTECTED]>. ================== Package: fdutils Version: 5.2pl4-3 [This is on a current hamm system.] Even fdmount's own manual page says that users should not rely on the program being secure. I consider it a bug that the fdutils package installs this program suid root regardless of this warning. Either you have checked the program's security - in this case you may install it suid root and remove the warning from the manual page. Or you didn't do the checks you should - in this case you should release a new package which installs the program mode 755 by default and tells the user that he can get full functionality only when registering it suid root. (gnuplot does something like this using suidmanager.) Regards, tlr -- System Information Debian Release: 2.0 Kernel Version: Linux sobolev 2.1.122 #43 SMP Thu Sep 17 14:24:19 MEST 1998 i586 unknown Versions of the packages fdutils depends on: ii libc6 2.0.7t-1 The GNU C library version 2 (run-time files) ii makedev 1.6-32 Creates special device files in /dev. -- Anthony Fok Tung-Ling Civil and Environmental Engineering [EMAIL PROTECTED], [EMAIL PROTECTED] University of Alberta, Canada [EMAIL PROTECTED] Keep smiling! *^_^* Come visit Our Lady of Victory Camp -- http://www.olvc.ddns.org/ or http://www.ualberta.ca/~foka/OLVC/
