Replacing setuid with file capabilities
Serge Hallyn
serge.hallyn at canonical.com
Thu Mar 29 16:01:42 UTC 2012
Quoting Andrea Corbellini (corbellini.andrea at gmail.com):
> Hello,
>
> As many of you already know, there are some setuid executables in Ubuntu
> that perform very specific tasks and do not need many special privileges
> (ping and traceroute are just two examples). My proposal is to remove
> their setuid flag and set the file capabilities they need through
> setcap(8). This will indeed reduce the risk of privilege escalation.
>
> I think this is the right time to start discussing about this feature
> because 12.10 is four releases away from the next LTS and the risk of
> committing serious mistakes is lower.
>
> So, what do you think? Is it something that we could do for the
> Q-series?
One of the things which always blocked this in the past has been
support for non-xattr filesystems, in particular NFS. Perhaps
it's something postinst can tweak based on fs support?
Couldn't hurt to have another session on this at next UDS.
thanks,
-serge
More information about the ubuntu-server
mailing list