Bug 646448 - Replace SETUID in spec file with the correct file capabilities.
Replace SETUID in spec file with the correct file capabilities.
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
rawhide
Unspecified Unspecified
low Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks: removesuid16
  Show dependency treegraph
 
Reported: 2010-10-25 08:56 EDT by Daniel Walsh
Modified: 2011-04-05 09:22 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 646443
Environment:
Last Closed: 2011-04-05 09:22:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2010-10-25 08:56:26 EDT
+++ This bug was initially created as a clone of Bug #646443 +++

Description of problem:

Please remove setuid setup of files in your package with file capabilities.

This is to satisfy the F15 feature.

https://fedoraproject.org/wiki/Features/RemoveSETUID

An example of how this was done for X is.


%if 0%{?fedora} < 15
%define Xorgperms %attr(4711, root, root)
%else
%define Xorgperms %attr(0711,root,root) %caps(cap_sys_admin,cap_sys_rawio,cap_dac_override=pe)
%endif
Comment 1 Tomas Mraz 2010-10-25 15:30:59 EDT
There are two simple helpers with setuid bit in pam - unix_chkpwd and pam_timestamp_check. Both would need cap_dac_override. The unix_chkpwd would also need cap_audit_write.
Comment 2 Tomas Mraz 2010-10-25 15:39:12 EDT
Note that changing to capabilities instead of setuid on unix_chkpwd has potential to break some specific configurations such as using pam_unix to authenticate users with hashes obtained from LDAP server with nss_ldap. So I am not sure the very small benefit of having cap_dac_override instead of setuid is worth the potential regressions.
Comment 3 Daniel Walsh 2011-04-05 09:22:23 EDT
Ok lets close these as wontfix

Note You need to log in before you can comment on or make changes to this bug.