Using File Capabilities Instead Of Setuid

From ArchWiki

Jump to: navigation, search
Image:Tango-document-new.png This article is a stub.
This typically means the article is a placeholder for more content to come. Knowledgeable users are encouraged to help expand the article.

Contents

Introduction

The intention of this article is to remove the setuid attribute in the binaries that require certain root-privileges. In this way, it eliminates the need for "all or nothing", using a fine grained control with POSIX 1003.1e capabilities.

Use with caution, some programs do not know about file capabilities. It apparently works correctly, but have some unexpected side effects (see for example util-linux-ng)

Prerequisites

You need libcap, for setting file capabalities that are extended attributes, with the utility setcap.

pacman -S libcap

Setuid-root files by repo

[core]

coreutils

Current version: 7.2-1

chmod u-s /bin/su
setcap cap_setgid,cap_setuid+ep /bin/su

dcron

Current version: 3.2-3

chmod u-s /usr/bin/crontab
setcap cap_dac_override,cap_setgid+ep /usr/bin/crontab

glibc

Current version: 2.9-4

heimdal

Current version: 1.2.1-3

inetutils

Current version: 1.6-3

chmod u-s /usr/bin/rsh
setcap cap_net_bind_service+ep /usr/bin/rsh
chmod u-s /usr/bin/rcp
setcap cap_net_bind_service+ep /usr/bin/rcp
chmod u-s /usr/bin/rlogin
setcap cap_net_bind_service+ep /usr/bin/rlogin

iputils

Current version: 20071127-2

chmod u-s /bin/ping
setcap cap_net_raw+ep /bin/ping
chmod u-s /bin/ping6
setcap cap_net_raw+ep /bin/ping6
chmod u-s /bin/traceroute
setcap cap_net_raw+ep /bin/traceroute
chmod u-s /bin/traceroute6
setcap cap_net_raw+ep /bin/traceroute6

pam

Current version: 1.0.4-1

chmod u-s /sbin/unix_chkpwd
setcap cap_dac_read_search+ep /sbin/unix_chkpwd

shadow

Current version: 4.1.2.1-2

chmod u-s /usr/bin/chage
setcap cap_dac_read_search+ep /usr/bin/chage
chmod u-s /usr/bin/chfn
setcap cap_chown,cap_setuid+ep /usr/bin/chfn
chmod u-s /usr/bin/chsh
setcap cap_chown,cap_setuid+ep /usr/bin/chsh
chmod u-s /usr/bin/expiry
setcap cap_dac_override,cap_setgid+ep /usr/bin/expiry
chmod u-s /usr/bin/gpasswd
setcap cap_chown,cap_dac_override,cap_setuid+ep /usr/bin/gpasswd
chmod u-s /usr/bin/newgrp
setcap cap_dac_override,cap_setgid+ep /usr/bin/newgrp
chmod u-s /usr/bin/passwd
setcap cap_chown,cap_dac_override,cap_fowner+ep /usr/bin/passwd

sudo

Current version: 1.7.0-1

Sudo do not work without setuid.

util-linux-ng

Current version: 2.14.2-1

Note: Warning: Do not use it, because mount and umount can not do some checks, then users can mount/umount filesystems that do not have permission.
chmod u-s /bin/mount
setcap cap_dac_override,cap_sys_admin+ep /bin/mount
chmod u-s /bin/umount
setcap cap_dac_override,cap_sys_admin+ep /bin/umount

[extra]

apache

cups

fuse

kdebase-workspace

pmount

Current version: 0.9.19-2

Do not work without setuid.

schroot

screen

Current version: 4.0.3-6

Always need setuid to perform some security checks. See screen(1) man page.

xorg-xserver

Current version: 1.6.0-2

chmod u-s /usr/bin/Xorg
setcap cap_chown,cap_dac_override,cap_sys_rawio,cap_sys_admin+ep /usr/bin/Xorg

[community]

Useful commands

Find setuid-root files

find /bin /sbin /lib /usr/bin /usr/sbin /usr/lib -perm +4000 -user root

Find setgid-root files

find /bin /sbin /lib /usr/bin /usr/sbin /usr/lib -perm +2000 -group root

Additional Resources

  • Man Page capabilities(7) setcap(8) getcap(8)
Personal tools