Is there a reason anyone competent would follow vendor instructions to install it suid?
This Tweet was deleted by the Tweet author. Learn more
Conversation
Replying to
The vendor software installs it setuid for you. It's not like they give you a choice, you just have to remove it later or be aware they did it.
1
Replying to
But why would you run the vendor installer as root rather than as user or fakeroot?
3
1
I agree this is bad and most users will get bitten by it. I was just wondering if there's a reason it's suid (like it doesn't work without lots of hackery if it's not suid) that leads people to let it be suid as path of least resistance, or if it's just bad security hygiene.
1
1
Replying to
it requires some access to usb devices so this could in fact be managed with group permissions to the respective /dev device and no need for setuid permissions.
2
1
Or properly tagging them as uaccess with udev if the intention is that users with physical access to the machine receive access to them automatically.
github.com/trezor/trezor-