Replacing setuid with file capabilities
serge.hallyn at canonical.com
Thu Mar 29 16:01:42 UTC 2012
Quoting Andrea Corbellini (corbellini.andrea at gmail.com):
> As many of you already know, there are some setuid executables in Ubuntu
> that perform very specific tasks and do not need many special privileges
> (ping and traceroute are just two examples). My proposal is to remove
> their setuid flag and set the file capabilities they need through
> setcap(8). This will indeed reduce the risk of privilege escalation.
> I think this is the right time to start discussing about this feature
> because 12.10 is four releases away from the next LTS and the risk of
> committing serious mistakes is lower.
> So, what do you think? Is it something that we could do for the
One of the things which always blocked this in the past has been
support for non-xattr filesystems, in particular NFS. Perhaps
it's something postinst can tweak based on fs support?
Couldn't hurt to have another session on this at next UDS.
More information about the ubuntu-server