okay, this `please` program is rather bad, and the fix for CVE-2021-31153 is laughably wrong.
Conversation
Replying to
It doesn't appear they did basic research into the required security model for setuid/setgid/setcap binaries.
It's pretty unfortunate since they do seem to care about security but were totally clueless about it and made a LOT of obvious mistakes beyond just setuid-specific ones.
1
5
I don't understand how they ended up in the situation where they were writing a privilege escalation tool shipped by multiple Linux distributions. Some of the issues like the /tmp races are well known things not at all specific to the whole legacy setuid/setgid/setcap approach.
2
4
Replying to
they've been submitting their program for inclusion to multiple Linux distributions! void, arch and alpine so far have NAKed it. debian and suse seem to have accepted it.
2
Replying to
I've rarely heard of developers going out of the way to get their program included in a bunch of distributions. I didn't realize requesting package inclusion was even a thing in distributions beyond Debian. I don't really think it's a thing for Arch beyond annoying mailing lists.