Bug 646476

Summary: Replace SETUID in spec file with the correct file capabilities.
Product: [Fedora] Fedora Reporter: Daniel Walsh <dwalsh>
Component: kdelibsAssignee: Than Ngo <than>
Status: ASSIGNED --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, ian, jgrulich, jreznik, kevin, maurizio.antillon, ovasik, rdieter, sgrubb, smparrish, than
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 646443 Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 693731    

Description Daniel Walsh 2010-10-25 13:26:59 UTC 
+++ This bug was initially created as a clone of Bug #646443 +++

Description of problem:

Please remove setuid setup of files in your package with file capabilities.

This is to satisfy the F15 feature.

https://fedoraproject.org/wiki/Features/RemoveSETUID

An example of how this was done for X is.


%if 0%{?fedora} < 15
%define Xorgperms %attr(4711, root, root)
%else
%define Xorgperms %attr(0711,root,root) %caps(cap_sys_admin,cap_sys_rawio,cap_dac_override=pe)
%endif
Comment 1 Daniel Walsh 2011-04-05 13:18:45 UTC 
Any movement on this?
Comment 2 Kevin Kofler 2011-04-05 13:25:41 UTC 
The offender in the case of kdelibs is:
%attr(4755,root,root) %{_kde4_libexecdir}/kpac_dhcp_helper
Comment 3 Daniel Walsh 2011-04-05 14:10:20 UTC 
Any idea what that app actually needs to do?
Comment 4 Kevin Kofler 2011-04-05 14:24:10 UTC 
This needs to be able to do DHCP requests, mainly. This is for proxy auto configuration (PAC), see: http://linux.die.net/man/7/kpac_dhcp_helper

The code is only 229 lines including comments and blank lines:
https://projects.kde.org/projects/kde/kdelibs/repository/revisions/master/entry/kio/misc/kpac/kpac_dhcp_helper.c

It drops privileges immediately after init_socket. Presumably, only socket-related capabilities are actually needed. (Should we patch out the code for resetting UID and GID when we do the change?)
Comment 5 Daniel Walsh 2011-04-05 14:31:46 UTC 
Looks like we need an SELinux label for this app.  Which apps use this?  kdm? or is it executed by users?

I don't think you are dropping capabilities properly in the code.  I am sure Steve Grubb will comment on that.  

And if we go to file cabailities you would not need the setuid/setgid calls anymore.
Comment 6 Rex Dieter 2011-11-14 13:09:04 UTC 
Looks like this ends up getting executed by users, per 
kdelibs-4.7.3/kio/misc/kpac/README.wpad

1. DHCP based autodiscovery

        If you are running a DHCP server on your network anyway, you might
        want to use this approach; all you have to do is to add the WPAD
        option (numeric 252 or hex fc) as a string containing the URL to the
        PAC script.

        To do so with older versions of ISC dhcpd, add this to
        /etc/dhcpd.conf, either globally or just for the subnets you want to
        enable WPAD for:

        option option-252 "http://example.com/path/to/proxyconfig.pac";

        Or, for newer ISC dhcpd versions, add this globally:

        option wpad code 252 = text;

        and this either globally or for the WPAD subnets:

        option wpad "http://example.com/path/to/proxyconfig.pac";

        For other DHCP servers, please consult the reference manual on how
        to add an option by number if WPAD support is not built-in.

...

Note that DHCP is the preferred approach since it's more flexible than DNS
as it doesn't require a well known host name nor a fixed location
(/wpad.dat) for the PAC script. It is also the first method tried before
resorting to DNS, so if you use DNS there will be a noticeable delay of 5
seconds while waiting for a DHCP reply.

However, DHCP requires a helper program, kpac_dhcp_helper to be installed
suid root. If you consider this a security problem, just delete that program
or remove its suid permissions and use DNS instead. If the helper cannot
execute as root, the 5 seconds delay will also go away.

If you have further questions or comments, please contact me: Malte
Starostik <malte>
Comment 7 Daniel Walsh 2011-11-14 20:03:46 UTC 
I would want to know that the tool is dropping capabilities properly and/or if it could be does setgid?
Comment 8 Fedora End Of Life 2013-04-03 19:07:48 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 9 Rex Dieter 2013-04-12 15:29:56 UTC 
rebase to rawhide/FutureFeature, to avoid risking autoclose
Comment 10 Maurizio 2013-09-03 14:42:24 UTC 
mac adress 



   fff:fff:fff:fff:fff:fff