[ubuntu-hardened] Removing suid root from binaries where it isn't needed
Kees Cook
kees at ubuntu.com
Wed Oct 31 14:29:59 GMT 2007
On Wed, Oct 31, 2007 at 09:52:12AM -0400, Chad Sellers wrote:
> On 10/30/07 11:23 PM, "Kees Cook" <kees at ubuntu.com> wrote:
> > I think the fscap stuff would be a good thing to get into Hardy+1. We
> > can test it and start the discussion with Debian about it now, though.
> >
> That sounds like a good plan. Extra thought and testing will be good, as
> this is an area where you have to tread very carefully. You have to account
> for non-xattr filesystems, people who compile their own kernel (possibly
> without fscaps), and many associated corner cases. We actually talked about
> doing something similar with SELinux (authoritative caps [1]), but decided
> against it due to these problems.
Yeah, combined with the prior derooting work, perhaps some of this
results in too many regressions. From the original list of setuid
tools, perhaps we need to audit for a few things:
- is it already derooted?
- yes: is the derooting patch upstream?
- no: can it be derooted?
- yes: do it; send patch upstream
- no: can its work be done via capabilities?
- yes: investigate fscap to replace setuidness
- no: pull out hair
Martin, is there some list of the packages you worked on for the
derooting?
Can someone make a matrix of setuid applications that need this
investigation? Maybe at
https://wiki.ubuntu.com/Security/Investigation/Setuid
With that we can build our checklist and see what needs either derooting
or fscap work.
-Kees
--
Kees Cook
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20071031/b2411301/attachment.pgp
More information about the ubuntu-hardened
mailing list