[ubuntu-hardened] Removing suid root from binaries where it isn't needed

Martin Pitt martin.pitt at ubuntu.com
Wed Oct 31 11:51:35 GMT 2007


Jeff Schroeder [2007-10-30 11:04 -0700]:
> The best way to protect our users is by the
> simple least privilege model. /bin/ping has no reason to be suid root
> when you can remove the suid bit and grant it the CAP_NET_RAW
> capability. 
> This might mean that Ubuntu carries Ubuntu-specific patches to check

I agree, deprivilegizing this would be cool. Indeed that's what I did
with a lot of programs (hal, dhcp server and client, etc.) back in
Warty, so that such programs would start as root, just keep the
necessary capabilities, and drop to a system user (look at our dhcp3
source package for an example).

If this can now be done without intrusive code patches and just file
system changes, so much the better. Carrying those changes should be
much easier than keeping the code patches, since the former are just
small changes in the packaging (postinst scripts, etc.)


Martin Pitt         http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

More information about the ubuntu-hardened mailing list