Is there a reason anyone competent would follow vendor instructions to install it suid?
Conversation
Replying to
The vendor software installs it setuid for you. It's not like they give you a choice, you just have to remove it later or be aware they did it.
1
Replying to
But why would you run the vendor installer as root rather than as user or fakeroot?
3
1
Replying to
it prompts for elevated permissions on install, additionally most package managers like ArchLinux yourt include the binary as setuid root. I discovered this bug while hacking on the defcon2018 badge.
1
Worth noting that it's a third party package outside the officially repositories for people that aren't familiar with that. Lots of those unofficial packages make bad decisions, although they're just packaging the results of the installer in this case.
2
2
Sure, this is what's happening, but it's irresponsible on the distro's part. A modern distro should have a pretty absolute policy of no suids outside the core packages, or at least not in contrib packages that aren't subject to the level of review main-repo ones are.
1
1
5
It's a completely third party package, not one in a distribution contrib repository. Third party packages can be outright malicious and it doesn't even need to be subtle. It's a bad idea to use AUR helpers like yaourt since they encourage blindly trusting third party code.
2
2
OK, I don't understand everything about how Arch/AUR does stuff, and I'll probably catch a bunch of other dists in this criticism too...
2
1
In the past, the main repositories were [core] and [extra] with [community] as a less official disabled by default contrib repository. Eventually, [community] was enabled by default and is essentially no different from [extra] other than a broader group of people maintaining it.
1
The AUR is a separate thing. It's a site with user uploaded package sources. Instead of Arch users enabling a third party repository, they'll typically download AUR package sources, review them (hopefully) and build a package to install. People made helpers to automate it though.
1
Some of the helpers are quite well designed / reasonable like auracle (formerly cower), which just checks for updated package sources and downloads them. Some go too far and automate the process, which encourages not reviewing the PKGBUILD and install file which is really bad.