[ubuntu-hardened] Removing suid root from binaries where it isn't needed

[Kees Cook]

On Tue, Oct 30, 2007 at 03:04:28PM -0700, Jeff Schroeder wrote:
> Very good point this functionality does require a filesystem that
> support EA like ext3. What does the livecd use? Cramfs? Squashfs?
> There is some sort of infrastructure to deal with differences in how
> the livecd is built. I think it is called casper, but can't rememeber
> right now. This is an important issue to address.

IIUC, the liveCD uses unionfs to merge the r/o iso9660 with a r/w tmpfs.
The tmpfs doesn't support xattrs.

For the regular system, it seems we'd need to mount with user_xattr, but
that most of the unixy filesystems support it.

> The other important one is implementation. How would we implement this
> on installed systems? The best way I can think of is via a postinstall
> hook or apt trigger that runs the command to give it the proper
> capabilities and strip suid root. I've done tons of rpm
> packagebuilding and still very little debian packaging. Maybe someone
> with more knowledge in this area should look at our options.

I imagine this could be made a standard debhelper feature.  For example,
the iputils package could include debian/iputils-ping.fscap:

 /bin/ping cap_net_raw

And a postinst would be generated to drop the setuid bit if the
filesystem supported xattrs.

-Kees

-- 
Kees Cook
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20071030/42be4ade/attachment.pgp