Bug 646481
Summary: | Replace SETUID in spec file with the correct file capabilities. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Daniel Walsh <dwalsh> |
Component: | openssh | Assignee: | Jan F. Chadima <jchadima> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | dwalsh, eparis, jchadima, mgrepl, sgrubb, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | 646443 | Environment: | |
Last Closed: | 2011-04-23 14:37:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 456105 | ||
Bug Blocks: | 693731 |
Description
Daniel Walsh
2010-10-25 13:32:02 UTC
Any movement on this? there are 2 setuid/setgid programs %attr(2111,root,nobody) %{_bindir}/ssh-agent ... there is no capability equivalent %attr(4111,root,root) %{_libexecdir}/openssh/ssh-keysign ... there is cap_dac_override equivalent I have no reason why to change this. It does not help to secure it. cap_dac_override enables full root access by many ways. Is this tool dropping capabilities properly? Out of curiosity why does it need cap_dac_override? this tool need an access to server keys just after open these keys it permanently changes the uid to the real user's uid. Does the tool drop all capabilities then? Why we don't have a DAC_READ_OVERRIDE is beyond me... Strange that we don't give this to the app for SELinux. sesearch -A -s ssh_keysign_t -c capability --dontaudit Found 1 semantic av rules: allow ssh_keysign_t ssh_keysign_t : capability { setgid setuid } ; If you went to file_capabilites you could drop the setuid/setgid code, also. Yes, CAP_DAC_READ_OVERRIDE would make a sense if it existed. Steve grub doesn't this look like a good candidate for setgid? Not sure which tool we are talking about, but openwall linux recently released a new update where they got rid of all setuid programs. Openssh is a package they support and they might have a patch that is useful. openwall drops hostbased auth and the ssh-keysign is in openwall missing. sent proposed patch upstream |