Bug 646480

Summary: Replace SETUID in spec file with the correct file capabilities.
Product: [Fedora] Fedora Reporter: Daniel Walsh <dwalsh>
Component: nspluginwrapperAssignee: Martin Stransky <stransky>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: bnocera, dwalsh, jrb, mgrepl, stransky, yersinia.spiros
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 646443 Environment:
Last Closed: 2012-12-21 13:47:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 693731    

Description Daniel Walsh 2010-10-25 13:30:53 UTC 
+++ This bug was initially created as a clone of Bug #646443 +++

Description of problem:

Please remove setuid setup of files in your package with file capabilities.

This is to satisfy the F15 feature.

https://fedoraproject.org/wiki/Features/RemoveSETUID

An example of how this was done for X is.


%if 0%{?fedora} < 15
%define Xorgperms %attr(4711, root, root)
%else
%define Xorgperms %attr(0711,root,root) %caps(cap_sys_admin,cap_sys_rawio,cap_dac_override=pe)
%endif
Comment 1 Daniel Walsh 2011-04-05 13:14:31 UTC 
Any update on this bug
Comment 2 Martin Stransky 2012-12-21 13:47:48 UTC 
I don't understand how this small change in spec file can provide root write permissions for plugin-install program. Please reopen if I'm wrong but I don't think it's useful for nspluginwrapper package.
Comment 3 Daniel Walsh 2012-12-21 17:52:06 UTC 
The problem with using traditional capabilities is the process in this case nspluginwrapper starts with full capabilities and then the programmer is responsible for removing the capabilities that the program does not need.  There have been several mistakes and bugs that have led to program escalation.  By using file capabilties, you would start with a much smaller subset of capabilities and then you should still remove these once you are done with them, but if you have a bug in your code then the potential escalation would be less then with a full capability program.
Comment 4 Elia Pinto 2013-09-11 20:18:28 UTC 
No good for everyone that this feature was closed as don't fix IMHO