[Pkg-xfce-devel] Bug#685832: Bug#685832: xfce4-sensors-plugin: xcfe4-sensors-plugin relies on a setuid hddtemp and recommends to setuid it
Eddy Petrișor
eddy.petrisor at gmail.com
Mon Oct 28 18:36:42 UTC 2013
2013/5/29, Yves-Alexis Perez <corsac at debian.org>:
Hi Yves-Alexis,
> On sam., 2012-08-25 at 00:49 +0300, Eddy Petrișor wrote:
>> But there is an option to fetch hddtemp information without having
>> hddtemp
>> setuid, to read directly from a local port. This option is now
>> disabled at
>> buildtime because there is no netcat installed during build.
>>
>> So I just added netcat as a build depends and the resulting package
>> works fine
>> and no longer recommends the user the unsafe option of running hddtemp
>> setuid.
>>
> Note that it also silently breaks for users which don't have hddtemp
> running as a root daemon, which is not a really nice solution either.
Does my patch work if hddtemp is not running as a root daemon?
My original bug report was about the fact the Debian package could be
built so it is more secure by default and doesn't suggest
security-problematic ideas to the user.
You forwarded another related issue to upstream (warning always on
start), but if the package is built with netcat installed, the warning
issue would be mitigated for all Debian users.
Since you are in the Uploaders list for this package and I am
wondering, could you apply the patch I sent and upload a new version?
--
Eddy Petrișor
More information about the Pkg-xfce-devel
mailing list