+++ This bug was initially created as a clone of Bug #646443 +++ Description of problem: Please remove setuid setup of files in your package with file capabilities. This is to satisfy the F15 feature. https://fedoraproject.org/wiki/Features/RemoveSETUID An example of how this was done for X is. %if 0%{?fedora} < 15 %define Xorgperms %attr(4711, root, root) %else %define Xorgperms %attr(0711,root,root) %caps(cap_sys_admin,cap_sys_rawio,cap_dac_override=pe) %endif
Any movement on this?
The offender in the case of kdelibs is: %attr(4755,root,root) %{_kde4_libexecdir}/kpac_dhcp_helper
Any idea what that app actually needs to do?
This needs to be able to do DHCP requests, mainly. This is for proxy auto configuration (PAC), see: http://linux.die.net/man/7/kpac_dhcp_helper The code is only 229 lines including comments and blank lines: https://projects.kde.org/projects/kde/kdelibs/repository/revisions/master/entry/kio/misc/kpac/kpac_dhcp_helper.c It drops privileges immediately after init_socket. Presumably, only socket-related capabilities are actually needed. (Should we patch out the code for resetting UID and GID when we do the change?)
Looks like we need an SELinux label for this app. Which apps use this? kdm? or is it executed by users? I don't think you are dropping capabilities properly in the code. I am sure Steve Grubb will comment on that. And if we go to file cabailities you would not need the setuid/setgid calls anymore.
Looks like this ends up getting executed by users, per kdelibs-4.7.3/kio/misc/kpac/README.wpad 1. DHCP based autodiscovery If you are running a DHCP server on your network anyway, you might want to use this approach; all you have to do is to add the WPAD option (numeric 252 or hex fc) as a string containing the URL to the PAC script. To do so with older versions of ISC dhcpd, add this to /etc/dhcpd.conf, either globally or just for the subnets you want to enable WPAD for: option option-252 "http://example.com/path/to/proxyconfig.pac"; Or, for newer ISC dhcpd versions, add this globally: option wpad code 252 = text; and this either globally or for the WPAD subnets: option wpad "http://example.com/path/to/proxyconfig.pac"; For other DHCP servers, please consult the reference manual on how to add an option by number if WPAD support is not built-in. ... Note that DHCP is the preferred approach since it's more flexible than DNS as it doesn't require a well known host name nor a fixed location (/wpad.dat) for the PAC script. It is also the first method tried before resorting to DNS, so if you use DNS there will be a noticeable delay of 5 seconds while waiting for a DHCP reply. However, DHCP requires a helper program, kpac_dhcp_helper to be installed suid root. If you consider this a security problem, just delete that program or remove its suid permissions and use DNS instead. If the helper cannot execute as root, the 5 seconds delay will also go away. If you have further questions or comments, please contact me: Malte Starostik <malte>
I would want to know that the tool is dropping capabilities properly and/or if it could be does setgid?
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
rebase to rawhide/FutureFeature, to avoid risking autoclose
mac adress fff:fff:fff:fff:fff:fff