(In reply to Matthias Gerstner from comment #4) > The change in security context is rather limited here, since the postlog > program only runs as the postdrop group. So no root privileges are involved. > > The main concern would be that the files owned by the postdrop group could be > corrupted or could be disclosed, or processes owned by the postdrop group > could be influenced in a bad way. > > The hardening efforts in the postlog code look pretty good. The command line > parameters are limited and don't look harmful. Environment variables are > handled with the required care. In the privilege escalation context no > environment variables are trusted at all. > > The more or less only purpose of the postlog command is to send log data to > syslog. The process name used in logging is limited to "postlog" so no > spoofing should be possible there. > > What can be spoofed is the log message content as such, which is kind of by > design. Maybe sudoers rules or something like it would have been more > selectiv > regarding to who is actually allowed to log something as postdrop user. > > Still the attack surface is manageable and I agree to whitelist the setgid > setting in the permissions package. Thank you. Will there also be an update of permissions pkg for Leap 15.3 and 15.4 ?