|Fedora 10 a little bit more secure
||[Jan. 2nd, 2009|04:09 pm]
Fedora 10 comes with filesystem capability support. Unfortunately it is not used by default in the packages which can take advantage of it. I think the excuse is that there people who build their own kernels and disable it. That's nonsense since there are many other options we rely on and which can be compiled out.
Anyway, you can do the following by hand. Unfortunately you have to do it every time the program is updated again.
sudo chmod u-s /bin/ping
sudo /usr/sbin/setcap cap_net_raw=ep /bin/ping
sudo chmod u-s /bin/ping6
sudo /usr/sbin/setcap cap_net_raw=ep /bin/ping6
Voilà, ping and ping6 are no SUID binaries anymore. Note that ls still signals (at least when you're using --color) that there is something special with the file, namely, there are filesystem attributes.
These are two easy cases. Other SUID programs need some research to see whether they can use filesystem capabilities as well and which capabilities they need.