Do-over... more comments, removed some unneeded caps, and I forgot about gpasswd (see the comment for newgrp) and expiry. So, I think this is all the suid-root programs in the base system:
chmod -v -s /bin/ping setcap cap_net_raw=ep /bin/ping chmod -v -s /bin/ping6 setcap cap_net_raw=ep /bin/ping6 # Regular users can only use the --list option, so chage only needs read # access to /etc/shadow. chmod -v -s /usr/bin/chage setcap CAP_DAC_READ_SEARCH=ep /usr/bin/chage # expiry needs the same capabilities as chage. chmod -v -s /usr/bin/expiry setcap CAP_DAC_READ_SEARCH=ep /usr/bin/expiry # chfn needs read access to /etc/shadow, to check the user's password. Somehow # the write access to /etc/passwd is managed with CAP_SETUID and CAP_CHOWN, # using /etc/passwd- as a temporary file. chmod -v -s /usr/bin/chfn setcap CAP_CHOWN,CAP_DAC_READ_SEARCH,CAP_SETUID=ep /usr/bin/chfn # The user's shell is not stored in /etc/shadow, only /etc/passwd (which is # world readable), so no special read permissions are needed for chsh. chmod -v -s /usr/bin/chsh setcap CAP_CHOWN,CAP_SETUID=ep /usr/bin/chsh # For some reason the behavior is different when writing to /etc/shadow, # compared to /etc/passwd, and CAP_DAC_OVERRIDE is needed. chmod -v -s /bin/passwd setcap CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_SETUID=ep /bin/passwd # gpasswd needs the same capabilities as passwd. chmod -v -s /usr/bin/gpasswd setcap CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_SETUID=ep /usr/bin/gpasswd # /bin/su may want CAP_SYS_TTY_CONFIG and CAP_SYS_RESOURCE, depending on how # you use su. chmod -v -s /bin/su setcap CAP_DAC_READ_SEARCH,CAP_SETUID,CAP_SETGID=ep /bin/su # If you do not use gpasswd, then /usr/bin/newgrp only needs CAP_SETGID. chmod -v -s /usr/bin/newgrp setcap CAP_DAC_READ_SEARCH,CAP_SETGID=ep /usr/bin/newgrp chmod -v -s /bin/mount setcap CAP_SYS_ADMIN=ep /bin/mount chmod -v -s /bin/umount setcap CAP_SYS_ADMIN=ep /bin/umount robert
pgpWxWSkOCrYW.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
