RemoveSETUID feature (Was: Summary/Minutes from today's FESCo meeting (2010-10-26) NEW TIME!)
Panu Matilainen
pmatilai at laiskiainen.org
Fri Oct 29 07:58:45 UTC 2010
On Thu, 28 Oct 2010, Jason L Tibbitts III wrote:
>>>>>> "JN" == Joe Nall <joe at nall.com> writes:
>
> JN> On Oct 28, 2010, at 5:08 PM, Richard W.M. Jones wrote:
>
>>> More to the point, I can easily see the setuid bit easily on a
>>> binary.
>>> How do I tell if these strange/hidden "capabilities" are
>>> present on a binary? 'ls' doesn't mention anything.
>
> JN> getcap
>
> Interesting. That's in the libcap package, which is sort of oddly named
> because it includes executables. And of course it's multilib, but the
> binaries are arch-specific which I believe is a multilib conflict.
> Probably needs the executables split out into a libcap-tools packages.
>
> I notice that rpm supports that %caps() directive in the %files list to
> specify capabilities. I don't recall seeing that before; how long ago
> did rpm grow support for it? It looks like it came in around rpm 4.7,
> so all supported Fedora releases have it. However, I'm certain it's not
> in RHEL4 and I'm pretty sure it's not in RHEL5 either, so at least the
> EPEL folks will need to make a note of it.
Yup, rpm 4.7.0 was the first one to support file capabilities. It's
use is tracked with rpmlib(FileCaps) dependency, making packages utilizing
the feature uninstallable with any older rpm versions, and of course
trying to build such packages on older versions will barf out with a
errors.
It should be possible to have EPEL define a macro that turns %caps(foo)
into an %attr() with SUID bit set, but blindly enabling SUID bits might
not be such a hot idea...
- Panu -
More information about the devel
mailing list