Bug 646481

Summary: Replace SETUID in spec file with the correct file capabilities.
Product: [Fedora] Fedora Reporter: Daniel Walsh <dwalsh>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, eparis, jchadima, mgrepl, sgrubb, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 646443 Environment:
Last Closed: 2011-04-23 14:37:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 456105    
Bug Blocks: 693731    

Description Daniel Walsh 2010-10-25 13:32:02 UTC 
+++ This bug was initially created as a clone of Bug #646443 +++

Description of problem:

Please remove setuid setup of files in your package with file capabilities.

This is to satisfy the F15 feature.

https://fedoraproject.org/wiki/Features/RemoveSETUID

An example of how this was done for X is.


%if 0%{?fedora} < 15
%define Xorgperms %attr(4711, root, root)
%else
%define Xorgperms %attr(0711,root,root) %caps(cap_sys_admin,cap_sys_rawio,cap_dac_override=pe)
%endif
Comment 1 Daniel Walsh 2011-04-05 13:18:18 UTC 
Any movement on this?
Comment 2 Jan F. Chadima 2011-04-18 13:02:47 UTC 
there are 2 setuid/setgid programs

%attr(2111,root,nobody) %{_bindir}/ssh-agent  ... there is no capability equivalent

%attr(4111,root,root) %{_libexecdir}/openssh/ssh-keysign ... there is  cap_dac_override equivalent

I have no reason why to change this. It does not help to secure it.
Comment 3 Jan F. Chadima 2011-04-18 14:26:33 UTC 
cap_dac_override enables full root access by many ways.
Comment 4 Daniel Walsh 2011-04-18 15:41:45 UTC 
Is this tool dropping capabilities properly?  Out of curiosity why does it need cap_dac_override?
Comment 5 Jan F. Chadima 2011-04-20 08:46:28 UTC 
this tool need an access to server keys
just after open these keys it permanently changes the uid to the real user's uid.
Comment 6 Daniel Walsh 2011-04-20 14:25:38 UTC 
Does the tool drop all capabilities then?

Why we don't have a DAC_READ_OVERRIDE is beyond me...

Strange that we don't give this to the app for SELinux.

sesearch -A -s ssh_keysign_t -c capability --dontaudit
Found 1 semantic av rules:
   allow ssh_keysign_t ssh_keysign_t : capability { setgid setuid } ;
Comment 7 Daniel Walsh 2011-04-20 14:26:11 UTC 
If you went to file_capabilites you could drop the setuid/setgid code, also.
Comment 8 Tomas Mraz 2011-04-20 14:31:56 UTC 
Yes, CAP_DAC_READ_OVERRIDE would make a sense if it existed.
Comment 9 Daniel Walsh 2011-04-20 15:00:38 UTC 
Steve grub doesn't this look like a good candidate for setgid?
Comment 10 Steve Grubb 2011-04-20 16:39:10 UTC 
Not sure which tool we are talking about, but openwall linux recently released a new update where they got rid of all setuid programs. Openssh is a package they support and they might have a patch that is useful.
Comment 11 Jan F. Chadima 2011-04-21 17:13:05 UTC 
openwall drops hostbased auth and the ssh-keysign is in openwall missing.
Comment 12 Jan F. Chadima 2011-04-22 07:41:15 UTC 
sent proposed patch upstream