Replacing setuid with file capabilities
Marc Deslauriers
marc.deslauriers at canonical.com
Thu Mar 29 17:08:03 UTC 2012
On Thu, 2012-03-29 at 09:53 -0700, Clint Byrum wrote:
> Excerpts from Serge Hallyn's message of Thu Mar 29 09:01:42 -0700 2012:
> > Quoting Andrea Corbellini (corbellini.andrea at gmail.com):
> > > Hello,
> > >
> > > As many of you already know, there are some setuid executables in Ubuntu
> > > that perform very specific tasks and do not need many special privileges
> > > (ping and traceroute are just two examples). My proposal is to remove
> > > their setuid flag and set the file capabilities they need through
> > > setcap(8). This will indeed reduce the risk of privilege escalation.
> > >
> > > I think this is the right time to start discussing about this feature
> > > because 12.10 is four releases away from the next LTS and the risk of
> > > committing serious mistakes is lower.
> > >
> > > So, what do you think? Is it something that we could do for the
> > > Q-series?
> >
> > One of the things which always blocked this in the past has been
> > support for non-xattr filesystems, in particular NFS. Perhaps
> > it's something postinst can tweak based on fs support?
> >
> > Couldn't hurt to have another session on this at next UDS.
> >
>
> Wouldn't it be simpler to just have apparmor confine these binaries
> to their intended setuid-needing capabilities?
>
Please read these first:
http://permalink.gmane.org/gmane.comp.security.oss.general/3719
http://forums.grsecurity.net/viewtopic.php?f=7&t=2522
I'm not convinced we won't be introducing all new vulnerabilities by
trying to remove the setuid flag.
Marc.
More information about the ubuntu-server
mailing list