On Thu, 2012-03-29 at 09:53 -0700, Clint Byrum wrote: > Excerpts from Serge Hallyn's message of Thu Mar 29 09:01:42 -0700 2012: > > Quoting Andrea Corbellini ([email protected]): > > > Hello, > > > > > > As many of you already know, there are some setuid executables in Ubuntu > > > that perform very specific tasks and do not need many special privileges > > > (ping and traceroute are just two examples). My proposal is to remove > > > their setuid flag and set the file capabilities they need through > > > setcap(8). This will indeed reduce the risk of privilege escalation. > > > > > > I think this is the right time to start discussing about this feature > > > because 12.10 is four releases away from the next LTS and the risk of > > > committing serious mistakes is lower. > > > > > > So, what do you think? Is it something that we could do for the > > > Q-series? > > > > One of the things which always blocked this in the past has been > > support for non-xattr filesystems, in particular NFS. Perhaps > > it's something postinst can tweak based on fs support? > > > > Couldn't hurt to have another session on this at next UDS. > > > > Wouldn't it be simpler to just have apparmor confine these binaries > to their intended setuid-needing capabilities? >
Please read these first: http://permalink.gmane.org/gmane.comp.security.oss.general/3719 http://forums.grsecurity.net/viewtopic.php?f=7&t=2522 I'm not convinced we won't be introducing all new vulnerabilities by trying to remove the setuid flag. Marc. -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
