| Summary: | [RFE] RFE: Remove extraneous setuid root utilities | ||
|---|---|---|---|
| Product: | [Retired] oVirt | Reporter: | Perry Myers <pmyers> |
| Component: | ovirt-node | Assignee: | Joey Boggs <jboggs> |
| Status: | CLOSED WONTFIX | QA Contact: | bugs <bugs> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | acathrow, cshao, dfediuck, fdeutsch, gouyang, hadong, iheim, jboggs, leiwang, ovirt-bugs, ovirt-maint, pmatouse, ycui |
| Target Milestone: | --- | Keywords: | FutureFeature |
| Target Release: | 3.6.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | node | ||
| Fixed In Version: | 2.5.2 | Doc Type: | Enhancement |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-22 12:29:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Node | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 829023 | ||
I'm sure some of these can't be removed. just from a quick glance, these can't be. mount, umount, su, passwd, chage, sudo, mount.nfs It's too late in the 2.4.0 timeframe to tackle this one, so deferring to 2.5.0 Petr, can you tell from which files given in the description setuid can be dropped? (In reply to Fabian Deutsch from comment #3) > can you tell from which files given in the description setuid can be dropped? I can't say that without testing. I'd start with (In reply to Perry Myers from comment #0) > ./usr/bin/gpasswd > ./usr/bin/chfn > ./usr/bin/chage > ./usr/bin/chsh > ./usr/bin/ksu > ./usr/bin/staprun > ./usr/bin/wall and perform ovirt-node regression tests and then add some more if nothing breaks. I'm afraid there's no easy way out. Closing old bugs. If this issue is still relevant/important in current version, please re-open the bug. |
We should remove all unnecessary binaries that contain setuid root. Running the following on a running oVirt Node (2.2.2): find . -type f \( -perm -4000 -o -perm -2000 \) -exec ls {} \; 2>/dev/null Showed the following files: ./usr/sbin/usernetctl ./usr/bin/write ./usr/bin/gpasswd ./usr/bin/chfn ./usr/bin/chage ./usr/bin/sudoedit ./usr/bin/newgrp ./usr/bin/chsh ./usr/bin/pkexec ./usr/bin/ksu ./usr/bin/sudo ./usr/bin/staprun ./usr/bin/crontab ./usr/bin/passwd ./usr/bin/wall ./usr/libexec/polkit-1/polkit-agent-helper-1 ./usr/libexec/openssh/ssh-keysign ./usr/libexec/utempter/utempter ./sbin/unix_chkpwd ./sbin/netreport ./sbin/pam_timestamp_check ./sbin/mount.nfs ./lib64/dbus-1/dbus-daemon-launch-helper ./bin/mount ./bin/umount ./bin/su ./bin/fusermount ./run/initramfs/sbin/mount.nfs ./run/initramfs/bin/mount ./run/initramfs/bin/umount Advice from security experts is to remove setuid on as many of these as possible, and find out what breaks/doesn't break. But goal should be to have as little setuid binaries as possible on the system