[ubuntu-hardened] Removing suid root from binaries where it isn't needed

[gaten]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This list actually lives, I'm happily surprised.

Jeff Schroeder wrote:
> Serge Hallyn's recent implement-file-system-posix-capabilities.patch
> finally got the buyoff from Andrew Morton and is going to be going
> into the as of yet unreleased 2.6.24 kernel. However, since Hardy will
> very likely be using the 2.6.24 kernel, maybe we can look at what this
> specific feature buys us.
> ...
> This might require some work for stupid userspace code that does
> something like:
> if (EUID != 0)
>   die_a_miserable_death_and_say_you_only_run_as_root();
> 
> This might mean that Ubuntu carries Ubuntu-specific patches to check
> 
It would be great if we could forgo any "Ubuntu specific" patches, but I
understand that might not be possible.

> For a full list of all available capabilities, this should do:
> awk '/^#define/{if ($2 ~ "CAP_") print $2}' /usr/include/linux/capability.h
> And then look at the man page capabilities(7) for more information on
> what they each are.
> 
> Does anyone else think this is a good idea to investigate removing
> suid root from *some* of these binaries where it doesn't break
> anything? It seems like a win win to me. The only thing different is
> that this would need to be prominently displayed somewhere in the
> server docs and the fscaps tools would need to be packaged + the MIR.
> 

God yes. SUID has always been a problem (or at least an attack vector),
and I for one can see no reason NOT to do this, as long as we aren't
breaking a million other things in the process.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHJ4H0A+UZbCImQKQRAucdAJ9IjVYbuBmP4uSseTtKbInDR4OdagCfbrBE
QXr1Y9GuQ+yp/3uKI3BCUKk=
=DIRo
-----END PGP SIGNATURE-----