RSS

Secureblue Goes SUID-Less

Ganipote1 pts0 comments

Release v4.9.1 - Secureblue goes SUID-less! · secureblue/secureblue · GitHub

//releases/show" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

//releases/show;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

secureblue

secureblue

Public

Uh oh!

There was an error while loading. Please reload this page.

Notifications<br>You must be signed in to change notification settings

Fork<br>98

Star<br>965

v4.9.1 - Secureblue goes SUID-less!

Latest

Latest

Compare

Choose a tag to compare

Sorry, something went wrong.

Filter

Loading

Sorry, something went wrong.

Uh oh!

There was an error while loading. Please reload this page.

No results found

View all tags

RoyalOughtness

released this

26 May 05:23

v4.9.1

a77b3f7

This commit was created on GitHub.com and signed with GitHub’s verified signature .

GPG key ID: B5690EEEBB952194

Verified

Learn about vigilant mode.

v4.9.1 - Secureblue goes SUID-less!

Reminder: releases are symbolic. Builds are created and published immediately after new commits are merged.

SUID-less

All secureblue main images (non-nvidia images) are now completely free of SUID and SGID executables. This is a substantial milestone for secureblue, as SUID-root and SGID-root executables are by their nature a source of substantial attack surface. In short, SUID and SGID executables are always executed with the privileges of the file's owner (often root), regardless of the caller's privileges. Secureblue had already removed all but one SUID and SGID executables from our main images, the remaining SUID executable being Polkit's agent helper. With the release of Polkit 127 and the switch to a socket-activated agent helper, the last SUID and SGID executable has been eliminated from our main images. On our nvidia images, there remains a single SUID executable: nvidia-modprobe. Once an alternative to SUID is implemented for nvidia-modprobe, our nvidia images will be free of SUID and SGID executables as well.

Upgrade on boot

Secureblue will now automatically check for, download, and apply upgrades on boot if an installation is more than one week out of date. This is not forced on users and can be cancelled by simply pressing Q. If users want secureblue to always upgrade on boot, they can run ujust set-always-upgrade-on-boot. Users should note however that this will overwrite rollback deployments since it deploys a new deployment while booting a staged deployment. This causes the rollback deployment to fall off the end of the deployments list. So, users that choose to set this setting should make sure to pin a known good deployment. Users should also note that the measured download loading bar shown below is only supported if no packages are layered. If any packages are layered, a simple spinner will be displayed.

What's Changed

fix: allow bluetooth_t to access AF_ALG sockets by @HastD in #2208

chore: add declarations to issue templates by @target6404 in #2204

feat: disable kernel modules to mitigate dirtyfrag by @HastD in #2212

feat: disable additional ipsec modules by @RoyalOughtness in #2213

feat: SELinux policy to deny userspace access to IPSec sockets by @HastD in #2214

feat: remove suid from polkit-agent-helper on non-cosmic images by @RoyalOughtness in #2215

fix: Revert "feat: remove suid from polkit-agent-helper on non-cosmic imag… by @RoyalOughtness in #2219

fix: remove newline from interruptible_ask by @alexvojproc in #2218

chore(deps): bump step-security/harden-runner from 2.19.0 to 2.19.1 by @dependabot[bot] in #2216

chore(deps): bump github/codeql-action from 4.35.2 to 4.35.3 by @dependabot[bot] in #2217

feat(suidless): switch to socket activated polkit agent helper by @RoyalOughtness in #2231

feat(ujust): Do not force prune podman volumes by @francoism90 in #2227

chore(i18n): update PO files by @secureblue-pr-bot[bot] in #2165

feat: add opt-in socket auditing rules, refactor socket policy by @HastD in #2229

fix(kinoite): trivalent and systemsettings clipboard sharing by @RoyalOughtness in #2234

chore: ensure adb availability across desktop images by @RoyalOughtness in #2235

fix: Set FedoraWorkstation as the default firewalld zone in sericea and cosmic images by @Exponent64 in #2236

feat: add ujust...

suid secureblue images feat royaloughtness from

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

The Mirror Is Part of the Machine

london_safari10 ptstelemetry mirror decision logs enough time

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.