+++ This bug was initially created as a clone of Bug #646443 +++ Description of problem: Please remove setuid setup of files in your package with file capabilities. This is to satisfy the F15 feature. https://fedoraproject.org/wiki/Features/RemoveSETUID An example of how this was done for X is. %if 0%{?fedora} < 15 %define Xorgperms %attr(4711, root, root) %else %define Xorgperms %attr(0711,root,root) %caps(cap_sys_admin,cap_sys_rawio,cap_dac_override=pe) %endif
Any movement on this?
there are 2 setuid/setgid programs %attr(2111,root,nobody) %{_bindir}/ssh-agent ... there is no capability equivalent %attr(4111,root,root) %{_libexecdir}/openssh/ssh-keysign ... there is cap_dac_override equivalent I have no reason why to change this. It does not help to secure it.
cap_dac_override enables full root access by many ways.
Is this tool dropping capabilities properly? Out of curiosity why does it need cap_dac_override?
this tool need an access to server keys just after open these keys it permanently changes the uid to the real user's uid.
Does the tool drop all capabilities then? Why we don't have a DAC_READ_OVERRIDE is beyond me... Strange that we don't give this to the app for SELinux. sesearch -A -s ssh_keysign_t -c capability --dontaudit Found 1 semantic av rules: allow ssh_keysign_t ssh_keysign_t : capability { setgid setuid } ;
If you went to file_capabilites you could drop the setuid/setgid code, also.
Yes, CAP_DAC_READ_OVERRIDE would make a sense if it existed.
Steve grub doesn't this look like a good candidate for setgid?
Not sure which tool we are talking about, but openwall linux recently released a new update where they got rid of all setuid programs. Openssh is a package they support and they might have a patch that is useful.
openwall drops hostbased auth and the ssh-keysign is in openwall missing.
sent proposed patch upstream