Bug 646450 - Replace SETUID in spec file with the correct file capabilities.
Summary: Replace SETUID in spec file with the correct file capabilities.
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: dbus
Version: rawhide
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: David Zeuthen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: removesuid16
TreeView+ depends on / blocked
 
Reported: 2010-10-25 12:58 UTC by Daniel Walsh
Modified: 2013-03-06 04:04 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 646443
: 646452 (view as bug list)
Environment:
Last Closed: 2011-04-05 16:39:21 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Daniel Walsh 2010-10-25 12:58:11 UTC
+++ This bug was initially created as a clone of Bug #646443 +++

Description of problem:

Please remove setuid setup of files in your package with file capabilities.

This is to satisfy the F15 feature.

https://fedoraproject.org/wiki/Features/RemoveSETUID

An example of how this was done for X is.


%if 0%{?fedora} < 15
%define Xorgperms %attr(4711, root, root)
%else
%define Xorgperms %attr(0711,root,root) %caps(cap_sys_admin,cap_sys_rawio,cap_dac_override=pe)
%endif

Comment 1 Daniel Walsh 2011-04-05 13:22:38 UTC
Any movement on this?

Comment 2 Colin Walters 2011-04-05 15:58:10 UTC
We need *all* capabilities in general; the launch helper is used to run arbitrary programs.  It's pretty much an alternative init.  

In practice cap_sys_admin and cap_dac_override would probably be enough, but I don't really want to guess.  How do we request "all"?

Note that in the future hopefully this setuid helper will be going away in favor of asking systemd to do the activation.  See https://bugs.freedesktop.org/show_bug.cgi?id=34526

Comment 3 David Zeuthen 2011-04-05 16:27:06 UTC
Bug 646485 comment 2 is related to this.

Comment 4 Daniel Walsh 2011-04-05 16:39:21 UTC
Thats fine,  Closing WONTFIX, Or could CLOSE NOTABUG.


Note You need to log in before you can comment on or make changes to this bug.