Considering shipping ssh-keysign non-setuid
Theo de Raadt
deraadt at openbsd.org
Sat May 16 03:52:13 AEST 2026
Marc Haber <mh+openssh-unix-dev at zugschlus.de> wrote:
> >It affects any setuid program and it is my understanding that a typical
> >Linux ships with almost a hundred of those.
>
> Fully agreed. Would you disagree if I said that it's a good idea to
> reduce the number of suid binaries in a deployed system? What would be
> the consequences of making this mistake in Debian?
I would strongly agree with decreasing setuid programs which are unsafe,
but it harms the narrative when the first one deleted is an extremely safe
one, which is deleted for a false reason.
Let's not be confused about the word "delete" above. The proposal
really is "delete", because the program becomes non-functional, and
there is no replacement provided. "Disable" is effectively the same as
"delete". That method (of simply disabling) isn't viable for many of
the other setuid programs on Linux systems, or they would have been disabled,
I mean deleted, previous to this effort.
Qualys quite clearly chose this demonstrator because of their
familiarity with the ssh codebase, but as the hours go by I'm hearing of
more methods.
I'm simply saying this justification comes at a bad time and exposes it
lacks logic.
More information about the openssh-unix-dev
mailing list