646456 – Replace SETUID in spec file with the correct file capabilities.

Bug 646456 - Replace SETUID in spec file with the correct file capabilities.

Summary: Replace SETUID in spec file with the correct file capabilities.

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	at
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Marcela Mašláňová
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	removesetuid
TreeView+	depends on / blocked

Reported:	2010-10-25 13:13 UTC by Daniel Walsh
Modified:	2011-04-05 13:10 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	646443
Environment:
Last Closed:	2010-10-26 15:48:58 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Daniel Walsh 2010-10-25 13:13:42 UTC

+++ This bug was initially created as a clone of Bug #646443 +++

Description of problem:

Please remove setuid setup of files in your package with file capabilities.

This is to satisfy the F15 feature.

https://fedoraproject.org/wiki/Features/RemoveSETUID

An example of how this was done for X is.


%if 0%{?fedora} < 15
%define Xorgperms %attr(4711, root, root)
%else
%define Xorgperms %attr(0711,root,root) %caps(cap_sys_admin,cap_sys_rawio,cap_dac_override=pe)
%endif

Comment 1 Marcela Mašláňová 2010-10-26 15:48:58 UTC

Files by at daemon are created under daemon/root privileges and they are needed for correct work of atd. The suggested change above won't help and I doubt if any changes for this daemon will make him more secure.

Note You need to log in before you can comment on or make changes to this bug.