Ulrich Drepper (udrepper) wrote,
Ulrich Drepper
udrepper

Fedora 10 a little bit more secure

Fedora 10 comes with filesystem capability support. Unfortunately it is not used by default in the packages which can take advantage of it. I think the excuse is that there people who build their own kernels and disable it. That's nonsense since there are many other options we rely on and which can be compiled out.

Anyway, you can do the following by hand. Unfortunately you have to do it every time the program is updated again.

sudo chmod u-s /bin/ping
sudo /usr/sbin/setcap cap_net_raw=ep /bin/ping
sudo chmod u-s /bin/ping6
sudo /usr/sbin/setcap cap_net_raw=ep /bin/ping6


Voilà, ping and ping6 are no SUID binaries anymore. Note that ls still signals (at least when you're using --color) that there is something special with the file, namely, there are filesystem attributes.

These are two easy cases. Other SUID programs need some research to see whether they can use filesystem capabilities as well and which capabilities they need.
Tags: security
Subscribe

  • Secure File Descriptor Handling

    During the 2.6.27 merge window a number of my patches were merge and now we are at the point where we can securely create file descriptors without…

  • Closing

    I will not use this blog anymore. Instead I am hosting one on my own server with a much simpler (self-written) platform. Use the RSS file here.

  • (no subject)

    The original plan was to have some program sI wrote to be added to the procps or util-linux package but the maintainers haven't been responsive.…

  • Post a new comment

    Error

    Comments allowed for friends only

    Anonymous comments are disabled in this journal

    switch
    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    Help
  • 0 comments