Bug 646481 - Replace SETUID in spec file with the correct file capabilities.
Replace SETUID in spec file with the correct file capabilities.
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
Unspecified Unspecified
low Severity medium
: ---
: ---
Assigned To: Jan F. Chadima
Fedora Extras Quality Assurance
Depends On: 456105
Blocks: removesuid16
  Show dependency treegraph
Reported: 2010-10-25 09:32 EDT by Daniel Walsh
Modified: 2011-04-23 10:37 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 646443
Last Closed: 2011-04-23 10:37:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2010-10-25 09:32:02 EDT
+++ This bug was initially created as a clone of Bug #646443 +++

Description of problem:

Please remove setuid setup of files in your package with file capabilities.

This is to satisfy the F15 feature.


An example of how this was done for X is.

%if 0%{?fedora} < 15
%define Xorgperms %attr(4711, root, root)
%define Xorgperms %attr(0711,root,root) %caps(cap_sys_admin,cap_sys_rawio,cap_dac_override=pe)
Comment 1 Daniel Walsh 2011-04-05 09:18:18 EDT
Any movement on this?
Comment 2 Jan F. Chadima 2011-04-18 09:02:47 EDT
there are 2 setuid/setgid programs

%attr(2111,root,nobody) %{_bindir}/ssh-agent  ... there is no capability equivalent

%attr(4111,root,root) %{_libexecdir}/openssh/ssh-keysign ... there is  cap_dac_override equivalent

I have no reason why to change this. It does not help to secure it.
Comment 3 Jan F. Chadima 2011-04-18 10:26:33 EDT
cap_dac_override enables full root access by many ways.
Comment 4 Daniel Walsh 2011-04-18 11:41:45 EDT
Is this tool dropping capabilities properly?  Out of curiosity why does it need cap_dac_override?
Comment 5 Jan F. Chadima 2011-04-20 04:46:28 EDT
this tool need an access to server keys
just after open these keys it permanently changes the uid to the real user's uid.
Comment 6 Daniel Walsh 2011-04-20 10:25:38 EDT
Does the tool drop all capabilities then?

Why we don't have a DAC_READ_OVERRIDE is beyond me...

Strange that we don't give this to the app for SELinux.

sesearch -A -s ssh_keysign_t -c capability --dontaudit
Found 1 semantic av rules:
   allow ssh_keysign_t ssh_keysign_t : capability { setgid setuid } ;
Comment 7 Daniel Walsh 2011-04-20 10:26:11 EDT
If you went to file_capabilites you could drop the setuid/setgid code, also.
Comment 8 Tomas Mraz 2011-04-20 10:31:56 EDT
Yes, CAP_DAC_READ_OVERRIDE would make a sense if it existed.
Comment 9 Daniel Walsh 2011-04-20 11:00:38 EDT
Steve grub doesn't this look like a good candidate for setgid?
Comment 10 Steve Grubb 2011-04-20 12:39:10 EDT
Not sure which tool we are talking about, but openwall linux recently released a new update where they got rid of all setuid programs. Openssh is a package they support and they might have a patch that is useful.
Comment 11 Jan F. Chadima 2011-04-21 13:13:05 EDT
openwall drops hostbased auth and the ssh-keysign is in openwall missing.
Comment 12 Jan F. Chadima 2011-04-22 03:41:15 EDT
sent proposed patch upstream

Note You need to log in before you can comment on or make changes to this bug.