Bug 1213490

Summary: security enhancement: no setuid
Product: [SUSE ALP - SUSE Adaptable Linux Platform] Granite Reporter: Guilherme Moro <gmoro>
Component: Bootable ImagesAssignee: Frederic Crozat <fcrozat>
Status: NEW --- QA Contact: Jiri Srain <jsrain>
Severity: Major    
Priority: P5 - None CC: forgotten_u0-bnvADNc, georg.pfuetzenreuter, gmoro, lnussel, qa-bugs
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1171174    
Bug Blocks:    

Description Guilherme Moro 2023-07-19 14:42:23 UTC 
The way ALP is setting this in the config.sh is still broken, need to investigate consequences and if this is still the case.

+++ This bug was initially created as a clone of Bug #1171174 +++

setuid binaries are a potential attack vector for privilege escalation. MicroOS with it's limited scope has chance to close that hole by default and not ship any binaries with elevated privileges by default. Ie set the default level to "paranoid". This will prevent unprivileged (system) users from potentially exploiting

- shadow suite tools like passwd, chsh etc
- pam helpers unix{,2}_chkpwd
- wall, write
- clockdiff, ping
- dbus-daemon-launch-helper
- su
- sudo
- mount