[ubuntu-hardened] File Posix Capabilities in Jaunty

Kees Cook kees at ubuntu.com
Fri Mar 13 17:03:20 GMT 2009

On Fri, Mar 13, 2009 at 05:15:52AM -0700, Jeff Schroeder wrote:
> On Fri, Mar 13, 2009 at 12:41 AM, Michal Zimen <michal.zimen at gmail.com> wrote:
> > I mean capabilities described for example in this article:
> >                    http://www.friedhoff.org/posixfilecaps.html
> >
> >
> > It would be better to have system without SUID executable files. Afterall,
> > it is not so complicated:)
> I've not touched this since roughly a dapper timeline but it would be
> a good start.
> https://wiki.ubuntu.com/Security/Investigation/Setuid

Many things on this list use their setuid to gain a cap and then drop privs
(iirc, that's the "de-rooted: yes" ones).  I think "capabilities" column
here means "could be done with fscaps".


Kees Cook
Ubuntu Security Team

More information about the ubuntu-hardened mailing list