commit: 149971ceeeda2dc830bcad1e8e6b410989f76846 Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> AuthorDate: Sun Nov 10 22:04:06 2024 +0000 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> CommitDate: Mon Nov 11 01:31:27 2024 +0000 URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=149971ce
make.globals: disable FEATURES="sfperms" by default Removing the read bit from suid binaries has questionable security benefit, and may cause problems for some software. Bug: https://bugs.gentoo.org/938164 Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> NEWS | 3 +++ cnf/make.globals | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index ac0741d953..a9a2c0e80a 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,9 @@ Release notes take the form of the following optional categories: * Bug fixes * Cleanups +Security: +* make.globals: disable FEATURES="sfperms" by default (bug #938164). + Bug fixes: * depgraph: Ignore blockers when computing virtual deps visibility (PR #1387). diff --git a/cnf/make.globals b/cnf/make.globals index 33e99e9ec3..94eac65684 100644 --- a/cnf/make.globals +++ b/cnf/make.globals @@ -79,8 +79,7 @@ FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync merge-wait multilib-strict network-sandbox news parallel-fetch pkgdir-index-trusted pid-sandbox - preserve-libs protect-owned qa-unresolved-soname-deps - sandbox sfperms strict + preserve-libs protect-owned qa-unresolved-soname-deps sandbox strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
