Bug 646448 - Replace SETUID in spec file with the correct file capabilities.
Summary: Replace SETUID in spec file with the correct file capabilities.
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: rawhide
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: removesuid16
TreeView+ depends on / blocked
 
Reported: 2010-10-25 12:56 UTC by Daniel Walsh
Modified: 2011-04-05 13:22 UTC (History)
5 users (show)

Fixed In Version:
Clone Of: 646443
Environment:
Last Closed: 2011-04-05 13:22:23 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Daniel Walsh 2010-10-25 12:56:26 UTC 
+++ This bug was initially created as a clone of Bug #646443 +++

Description of problem:

Please remove setuid setup of files in your package with file capabilities.

This is to satisfy the F15 feature.

https://fedoraproject.org/wiki/Features/RemoveSETUID

An example of how this was done for X is.


%if 0%{?fedora} < 15
%define Xorgperms %attr(4711, root, root)
%else
%define Xorgperms %attr(0711,root,root) %caps(cap_sys_admin,cap_sys_rawio,cap_dac_override=pe)
%endif
Comment 1 Tomas Mraz 2010-10-25 19:30:59 UTC 
There are two simple helpers with setuid bit in pam - unix_chkpwd and pam_timestamp_check. Both would need cap_dac_override. The unix_chkpwd would also need cap_audit_write.
Comment 2 Tomas Mraz 2010-10-25 19:39:12 UTC 
Note that changing to capabilities instead of setuid on unix_chkpwd has potential to break some specific configurations such as using pam_unix to authenticate users with hashes obtained from LDAP server with nss_ldap. So I am not sure the very small benefit of having cap_dac_override instead of setuid is worth the potential regressions.
Comment 3 Daniel Walsh 2011-04-05 13:22:23 UTC 
Ok lets close these as wontfix
Note You need to log in before you can comment on or make changes to this bug.