Replacing setuid with file capabilities
Clint Byrum
clint at ubuntu.com
Thu Mar 29 16:53:33 UTC 2012
Excerpts from Serge Hallyn's message of Thu Mar 29 09:01:42 -0700 2012:
> Quoting Andrea Corbellini (corbellini.andrea at gmail.com):
> > Hello,
> >
> > As many of you already know, there are some setuid executables in Ubuntu
> > that perform very specific tasks and do not need many special privileges
> > (ping and traceroute are just two examples). My proposal is to remove
> > their setuid flag and set the file capabilities they need through
> > setcap(8). This will indeed reduce the risk of privilege escalation.
> >
> > I think this is the right time to start discussing about this feature
> > because 12.10 is four releases away from the next LTS and the risk of
> > committing serious mistakes is lower.
> >
> > So, what do you think? Is it something that we could do for the
> > Q-series?
>
> One of the things which always blocked this in the past has been
> support for non-xattr filesystems, in particular NFS. Perhaps
> it's something postinst can tweak based on fs support?
>
> Couldn't hurt to have another session on this at next UDS.
>
Wouldn't it be simpler to just have apparmor confine these binaries
to their intended setuid-needing capabilities?
More information about the ubuntu-server
mailing list