make.globals: disable FEATURES="sfperms" by default

Removing the read bit from suid binaries has questionable security benefit, and may cause problems for some software. Bug: https://bugs.gentoo.org/938164 Signed-off-by: Mike Gilbert <floppym@gentoo.org>
gentoo · Nov 11, 2024 · 149971c · 149971c
1 parent 6648a0d
commit 149971c
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/NEWS b/NEWS
@@ -6,6 +6,9 @@ Release notes take the form of the following optional categories:
 * Bug fixes
 * Cleanups
 
+Security:
+* make.globals: disable FEATURES="sfperms" by default (bug #938164).
+
 Bug fixes:
 * depgraph: Ignore blockers when computing virtual deps visibility (PR #1387).
 

diff --git a/cnf/make.globals b/cnf/make.globals
@@ -79,8 +79,7 @@ FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs
           config-protect-if-modified distlocks ebuild-locks
           fixlafiles ipc-sandbox merge-sync merge-wait multilib-strict
           network-sandbox news parallel-fetch pkgdir-index-trusted pid-sandbox
-          preserve-libs protect-owned qa-unresolved-soname-deps
-          sandbox sfperms strict
+          preserve-libs protect-owned qa-unresolved-soname-deps sandbox strict
           unknown-features-warn unmerge-logs unmerge-orphans userfetch
           userpriv usersandbox usersync"