Fortunately very few people are crazy enough to install hwclock as
setuid. Some comments in code and unfortunately also man page
advertising that setuid is no problem. That's pretty stupid promise.
The code quality is poor and it's obviously not designed to be secure
(things like popen() without drop privileges, etc.).
This patch removes all notes about "setuid support" and for sure
disable hwclock execution for non-root users.
Addresses: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786804 Signed-off-by: Karel Zak <kzak@redhat.com>
projects / thirdparty / util-linux.git / commit
