Bug 522244 - Changes for lowering capabilities project
Summary: Changes for lowering capabilities project
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: ConsoleKit
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: jmccann
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-09 20:48 UTC by Steve Grubb
Modified: 2015-01-14 23:23 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-01 19:00:30 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Patch to drop capabilities (3.03 KB, patch)
2009-09-09 20:48 UTC, Steve Grubb 		no flags Details | Diff
View All

Description Steve Grubb 2009-09-09 20:48:56 UTC 
Created attachment 360340 [details]
Patch to drop capabilities

Description of problem:
As part of the lowering capabilities project, we should drop all unnecessary
capabilities in all daemons.
Comment 1 Steve Grubb 2009-09-09 20:50:42 UTC 
For this patch to work, you need to BuildRequires: libcap-ng-devel  and autoreconfig also needs to be run since this changes configure.ac.
Comment 2 jmccann 2009-09-14 19:36:03 UTC 
Hi Steve,

Thanks for the patch.  I imagine this is something we'd want to apply upstream right?  Would you mind filing a bug here:
https://bugs.freedesktop.org/enter_bug.cgi?product=ConsoleKit

Thanks.
Comment 3 Steve Grubb 2009-09-17 19:33:47 UTC 
Turns out there is problem with this patch. ConsoleKit seems to need CAP_DAC_OVERRIDE in addition to what's already given. Seems to be related to /dev/tty, but not 100% sure. If ConsoleKit does need DAC_OVERRIDE, then there is no possibility of confining this app.
Comment 4 Steve Grubb 2009-10-01 19:00:30 UTC 
ConsoleKit is not confinable in its current implementation.
Note You need to log in before you can comment on or make changes to this bug.