[ubuntu-hardened] Removing suid root from binaries where it isn't needed

Chad Sellers chad at thesellers.net
Tue Oct 30 21:30:55 GMT 2007

On Oct 30, 2007, at 3:11 PM, gaten wrote:

> Hash: SHA1
> This list actually lives, I'm happily surprised.
> Jeff Schroeder wrote:
>> Serge Hallyn's recent implement-file-system-posix-capabilities.patch
>> finally got the buyoff from Andrew Morton and is going to be going
>> into the as of yet unreleased 2.6.24 kernel. However, since Hardy  
>> will
>> very likely be using the 2.6.24 kernel, maybe we can look at what  
>> this
>> specific feature buys us.
>> ...
>> This might require some work for stupid userspace code that does
>> something like:
>> if (EUID != 0)
>>   die_a_miserable_death_and_say_you_only_run_as_root();
>> This might mean that Ubuntu carries Ubuntu-specific patches to check
> It would be great if we could forgo any "Ubuntu specific" patches,  
> but I
> understand that might not be possible.
The good news here is that SELinux has already ran into a lot of  
these cases over the last few years, and a lot of the changes have  
made it into upstream packages. So at least the set of programs that  
behave as such has gotten smaller.

>> For a full list of all available capabilities, this should do:
>> awk '/^#define/{if ($2 ~ "CAP_") print $2}' /usr/include/linux/ 
>> capability.h
>> And then look at the man page capabilities(7) for more information on
>> what they each are.
>> Does anyone else think this is a good idea to investigate removing
>> suid root from *some* of these binaries where it doesn't break
>> anything? It seems like a win win to me. The only thing different is
>> that this would need to be prominently displayed somewhere in the
>> server docs and the fscaps tools would need to be packaged + the MIR.
> God yes. SUID has always been a problem (or at least an attack  
> vector),
> and I for one can see no reason NOT to do this, as long as we aren't
> breaking a million other things in the process.

I'm only a bit familiar with Serge's patch. I'm pretty sure it  
requires a filesystem that supports extended attributes. You may run  
into problems (particularly on the LiveCD) because of this.

Chad Sellers

> Version: GnuPG v1.4.6 (GNU/Linux)
> QXr1Y9GuQ+yp/3uKI3BCUKk=
> =DIRo
> -- 
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

More information about the ubuntu-hardened mailing list