From owner-cvs-all@FreeBSD.ORG  Wed Mar  3 06:44:21 2004
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id D5FE516A4CE; Wed,  3 Mar 2004 06:44:21 -0800 (PST)
Received: from gw.celabo.org (gw.celabo.org [208.42.49.153])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 5019A43D3F; Wed,  3 Mar 2004 06:44:21 -0800 (PST)
	(envelope-from nectar@celabo.org)
Received: from madman.celabo.org (madman.celabo.org [10.0.1.111])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK))
	by gw.celabo.org (Postfix) with ESMTP
	id DFEAA54846; Wed,  3 Mar 2004 08:44:20 -0600 (CST)
Received: by madman.celabo.org (Postfix, from userid 1001)
	id 846296D465; Wed,  3 Mar 2004 08:44:20 -0600 (CST)
Date: Wed, 3 Mar 2004 08:44:20 -0600
From: "Jacques A. Vidrine" <nectar@FreeBSD.org>
To: Will Andrews <will@csociety.org>
Message-ID: <20040303144420.GB31654@madman.celabo.org>
References: <200402072116.i17LGmkA007339@repoman.freebsd.org>
	<20040301212624.GF8957@lum.celabo.org>
	<200403020912.29657.michaelnottebrock@gmx.net>
	<20040302134752.GB678@lum.celabo.org>
	<20040302153831.GK13724@sirius.firepipe.net>
	<20040302175028.GC1377@lum.celabo.org>
	<20040302175250.GL13724@sirius.firepipe.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040302175250.GL13724@sirius.firepipe.net>
X-Url: http://www.celabo.org/
User-Agent: Mutt/1.5.4i-ja.1
cc: cvs-ports@freebsd.org
cc: cvs-all@freebsd.org
cc: Michael Nottebrock <lofi@freebsd.org>
cc: Michael Nottebrock <michaelnottebrock@gmx.net>
cc: ports-committers@freebsd.org
Subject: Re: cvs commit: ports/audio/arts Makefile
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2004 14:44:22 -0000

On Tue, Mar 02, 2004 at 12:52:50PM -0500, Will Andrews wrote:
> On Tue, Mar 02, 2004 at 11:50:29AM -0600, Jacques A. Vidrine wrote:
> > I have no intention.  However, for ports that do not require the
> > set-user-ID bit in order to function  (and this is demonstrably true
> > with arts), I would like not to install with set-user-ID by default.
> 
> Then we disagree on the definition of "function".  I do not think
> there is any reason to believe that the setuid bit on artswrapper
> is a threat to anybody.  So let it be.

Yes, we disagree.  I believe that artswrapper *could* be a threat, or I
wouldn't be here.

As I said previously, I have witnessed several instances where other
operating systems distributed packages that contained set-user-ID binaries,
and it became a security issue.  Because we (FreeBSD Project) are not
so reckless, we distribute the exact same packages but without the
set-user-ID set.  Result:  The other OSs have security bugs that we
don't.

Of course, packages sometimes themselves appear to be coded correctly
and safe, but due to library bugs or even kernel bugs, can actually
present a risk.

So hell yes I will push to eliminate unnecessary set-user-ID binaries in
the ports system and in the base system.  (not my top priority--- it is
just that seeing ports going the wrong way required interjection at this
point)

Feel free to argue about the definition of `function', but I have solid
reasons to distrust set-user-ID binaries that are there just for bells
and whistles (literally, in this case :-).

So, `function':
It seems to me that there is a large subset of arts users do not
need set-user-ID artswrapper.  The stock KDE code does not install
with set-user-ID artswrapper.  The KDE site warns about the impact of
using set-user-ID artswrapper.  Our ports collection has not installed
it set-user-ID for years, and yet Google searches do not turn up many
issues related to this.  Many ports depend on arts that will never
run artswrapper/artsd (my own desktop machine--- KDE free--- has arts
installed with 16 dependent ports).  Others have reported here that
problems with `clicks' and what not are not so common, and that many can
be traced back ultimately not to lack of set-user-ID artswrapper but to
deeper system issues.

Let's have cake and eat it too.  Make the set-user-ID optional, default
off.  Using the wrapper as a separate port makes things quite flexible:
if you KDE guys are so adamant that KDE users MUST HAVE this set-user-ID
program (despite evidence to the contrary), then fine: you guys go ahead
and depend on the wrapper.  Then as response time bugs are shaken out,
it will be easy to revisit.  Or if we grow a method of controlling
real-time priority that doesn't require root, it will be a simple matter
of `portupgrade artswrapper' for 5.x users.

Cheers,
-- 
Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org