Summary/Minutes from today's FESCo meeting (2010-10-26) NEW TIME!

Karel Zak kzak at redhat.com
Fri Nov 5 00:38:05 UTC 2010


On Thu, Oct 28, 2010 at 11:14:08AM +0300, Pekka Pietikainen wrote:
> On Thu, Oct 28, 2010 at 12:44:52PM +0530, Rahul Sundaram wrote:
> > This feature is now approved and I see bugs get filed.  The documentation and
> > guidelines are very incomplete.  How does one figure out which file
> > capabilities are needed by the programs I maintain that currently use setuid? 
> > Help, please.
> Probably: remove setuid bit, run, see what breaks. strace may be useful

 Don't do that. You have to *always* read the application source code to verify
 that the change is safe. You have to verify all relevant shared libraries too.

> [pp at the ~]$ strace ./rsh localhost 2>&1|grep EACCES
> bind(3, {sa_family=AF_INET6, sin6_port=htons(1023), inet_pton(AF_INET6,
> "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES
> (Permission denied)
> 
> -> needs CAP_NET_BIND_SERVICE. It didn't seem to output any error to the
> user, so the lacking permissions may be well-hidden.

 That's completely wrong and dangerous point of view...

    Karel

-- 
 Karel Zak  <kzak at redhat.com>
 http://karelzak.blogspot.com


More information about the devel mailing list