On Wed, Oct 29, 2008 at 8:53 AM, Colin Walters
Note that from the desktop direction we've been moving the OS
away
from exec-based domain transitions to message passing (e.g. PolicyKit)
for a variety of reasons. I think it might be worth considering
introducing a rule actually in Fedora for "no new SUID/fcap binaries",
or at least they would have to pass some sort of robust review
process.
I think I like that idea. As part of that is there a way we could get
a comprehensive list of the suid binaries we currently carry that
would be grandfather'd in? So we can know how concerted extra effort
would need to be done to help existing packages come into compliance?
-jef