Considering shipping ssh-keysign non-setuid
Marc Haber
mh+openssh-unix-dev at zugschlus.de
Sat May 16 04:03:26 AEST 2026
On Fri, May 15, 2026 at 11:52:13AM -0600, Theo de Raadt wrote:
>Marc Haber <mh+openssh-unix-dev at zugschlus.de> wrote:
>> >It affects any setuid program and it is my understanding that a typical
>> >Linux ships with almost a hundred of those.
>>
>> Fully agreed. Would you disagree if I said that it's a good idea to
>> reduce the number of suid binaries in a deployed system? What would be
>> the consequences of making this mistake in Debian?
>
>I would strongly agree with decreasing setuid programs which are unsafe,
>but it harms the narrative when the first one deleted is an extremely safe
>one, which is deleted for a false reason.
>
>Let's not be confused about the word "delete" above. The proposal
>really is "delete", because the program becomes non-functional, and
>there is no replacement provided. "Disable" is effectively the same as
>"delete". That method (of simply disabling) isn't viable for many of
>the other setuid programs on Linux systems, or they would have been disabled,
>I mean deleted, previous to this effort.
The way Colin suggests it would just be one documented command away from
getting fully functional again, with that decision being preserved
through package updates. I disagree with your reckoning that this would
"delete" the program.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
More information about the openssh-unix-dev
mailing list