Path: csiph.com!weretis.net!feeder8.news.weretis.net!news-peer.in.tum.de!news.muc.de!.POSTED.news.muc.de!not-for-mail
From: Michael Richardson <mcr@sandelman.ca>
Newsgroups: muc.lists.netbsd.tech.security
Subject: Re: hardlinks to setuid binaries
Date: Thu, 31 Mar 2022 12:58:02 -0400
Organization: Newsgate at muc.de e.V.
Sender: tech-security-owner@NetBSD.org
Approved: news-admin@muc.de
Distribution: world
Message-ID: <19821.1648745882@localhost>
References: <4455.1648471351@splode.eterna.com.au> <YkIb/vQFoRKNZGOy@netbsd.org> <YkDENW2pDkWu7i8V@bec.de> <CAHK3FNwHNT619Nq3NCiktpU77=n6RC9Wq+hK6BU4AyJSdJQ7tQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Injection-Info: news.muc.de; posting-host="news.muc.de:193.149.48.2"; logging-data="84085"; mail-complaints-to="news-admin@muc.de"
Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1648746532; bh=DDYLdyvIWsOotmrZL3KXkTa2UrQBVDF6zEhuhg2JE8I=; h=From:To:Subject:In-Reply-To:References:Date:From; b=0J6sC3klUmRvvB9R7twq3mbgLRorWs/7SwmAfblmWSbYDpzvBgS2Y6jVm/ZzcEsGt 9xFaGuzZ+RkTfRhFJd+ExrlQ7jUTU73vA9A9kDZnh3DUhAISD+aMMDrp2pZeGjyevD Z5mNZkGpeIWzYKrVV4cz9OaI0xmxbF+R64f9qK8TSUCOHWfmMCpdQougYdiJH9vsv7 cNPxtinyrlP0kHd+HRLeDrMZTF3MXLjXscL/IXsw8oAYxS5T2s/txld+n1kP0TMtCa 99cHAETnLe1f/JD3f1BlWvs80RqKzJ0dRhKNpraBJYkMxPGMeGBv5GJTvHpkZGZgBR iHuuT1ip9SQsA==
In-Reply-To: <CAHK3FNwHNT619Nq3NCiktpU77=n6RC9Wq+hK6BU4AyJSdJQ7tQ@mail.gmail.com>
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
Precedence: bulk
X-Newsgate-Id: f02c70b8849f+
X-No-Archive: Yes
Xref: csiph.com muc.lists.netbsd.tech.security:219

--=-=-=
Content-Type: text/plain


George Georgalis <george@galis.org> wrote:
    > However, an audit of package hardlink count, warning on check,
    > block on upgrade (without --force), to facilitate finding extra links,
    > seems like a low cost sanity check?

It sure seems like it's the upgrade process that needs to care to remove
"old" suid bits on old executables.  Or alternatively, overwrite them without
changing the inode.  It's a tussle as to which is better.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [


--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEbsyLEzg/qUTA43uogItw+93Q3WUFAmJF3ZoACgkQgItw+93Q
3WVDiggAgiU82Fqd7f0XAcaIKou0rrVnl7pdpawHQF1icWRUGfdpHne0htna0Msb
E6o1fRzq8cLMHhz6fi/Iofa4i3FU50p3An4WWbJFk98J+hksYa+a8IInyAxxBqd5
rf78Q4ptw+4moDSL3WObJwmjaYK06K0Y4U2cy2x/kMdE8gYK3Bf7LCSdtsptlAKo
R4qfbSv0OuJao/mxEMqIkZQV23lm3khB4JmBd4yfxyDZo0iv2AdiC7dLQR0rdIKz
kgvrJKK02px6ZsDKlElrGnZd55OZYL6sZN6h16x5cMyrLFaL1UBUF/XW5dkEhPjB
bbyUA+hQWIun6mJ2UeCsR1Cn7IIlow==
=Arth
-----END PGP SIGNATURE-----
--=-=-=--

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de