Joerg Schilling schrieb am 26.04.2013 20:31: > Daniel Pielmeier <bil...@gentoo.org> wrote: > >> Actually it is the linkage against libcap what I am concerned of. > > This is what I call a security risk with the current concepts of some linux > systems. See Announcement file for more.... > >> Imagine the following scenario. Libcap is not present on the system. >> Then package X which requires libcap is installed and the package >> manager who knows this installs libcap as a dependency. Then package Y >> is installed which unconditionally links against libcap. The package >> manager is unaware of this and does not know about the dependency. Now >> package X is uninstalled and the package manager removes libcap because >> he thinks nothing on the system needs it anymore. Now package Y will >> stop working because libcap is not there anymore. If it is possible to >> conditionally link against libcap such issues could be avoided. Libcap >> will not be uninstalled if the dependency is known. Additionally it is >> possible to have libcap installed and not link cdrtools against it. > > On Solaris, you cannot remove files that are part of the basic kernel > features. > > Privileges on Solaris are a basic kernel feature and part of the basic > security concept, so you cannot remove this.... on most Linux distros, it > seems > that you can. > > I am concerned about a different scenario: > > Imagine, you compile cdrtools without libcap and later install the support > for > the OS. Now you decide to use "setcap" to make cdrecord work. Cdrecord will > really work this way, but you opened a security hole as this cdrecord now is > not privileges aware and thus cannot even detect that it is running with more > than basic privileges. Such a cdrecord installation will happyly write any > local file for any local user to CD. > > Jörg >
If you add an option to make conditional linkage against libcap possible there are only two possible scenarios. cdrtools links against libcap and the capabilities are set or it doesn't link against libcap and cdrtools are installed suid root without capabilities. Everything is done in the ebuild and the user does not need to mess with setcap. It is controlled by the package manager and the linkage and capability setting are tied together at installation time. Just adding an option similar to the one for the ACLs would make my live a lot easier. Just enable it by default and make it possible to switch it off. -- Regards Daniel Pielmeier
signature.asc
Description: OpenPGP digital signature
