Using File Capabilities Instead Of Setuid
From ArchWiki
Contents |
Introduction
The intention of this article is to remove the setuid attribute in the binaries that require certain root-privileges. In this way, it eliminates the need for "all or nothing", using a fine grained control with POSIX 1003.1e capabilities.
Use with caution, some programs do not know about file capabilities. It apparently works correctly, but have some unexpected side effects (see for example util-linux-ng)
Prerequisites
You need libcap, for setting file capabalities that are extended attributes, with the utility setcap.
pacman -S libcap
Setuid-root files by repo
[core]
coreutils
Current version: 7.2-1
chmod u-s /bin/su setcap cap_setgid,cap_setuid+ep /bin/su
dcron
Current version: 3.2-3
chmod u-s /usr/bin/crontab setcap cap_dac_override,cap_setgid+ep /usr/bin/crontab
glibc
Current version: 2.9-4
heimdal
Current version: 1.2.1-3
inetutils
Current version: 1.6-3
chmod u-s /usr/bin/rsh setcap cap_net_bind_service+ep /usr/bin/rsh
chmod u-s /usr/bin/rcp setcap cap_net_bind_service+ep /usr/bin/rcp
chmod u-s /usr/bin/rlogin setcap cap_net_bind_service+ep /usr/bin/rlogin
iputils
Current version: 20071127-2
chmod u-s /bin/ping setcap cap_net_raw+ep /bin/ping
chmod u-s /bin/ping6 setcap cap_net_raw+ep /bin/ping6
chmod u-s /bin/traceroute setcap cap_net_raw+ep /bin/traceroute
chmod u-s /bin/traceroute6 setcap cap_net_raw+ep /bin/traceroute6
pam
Current version: 1.0.4-1
chmod u-s /sbin/unix_chkpwd setcap cap_dac_read_search+ep /sbin/unix_chkpwd
shadow
Current version: 4.1.2.1-2
chmod u-s /usr/bin/chage setcap cap_dac_read_search+ep /usr/bin/chage
chmod u-s /usr/bin/chfn setcap cap_chown,cap_setuid+ep /usr/bin/chfn
chmod u-s /usr/bin/chsh setcap cap_chown,cap_setuid+ep /usr/bin/chsh
chmod u-s /usr/bin/expiry setcap cap_dac_override,cap_setgid+ep /usr/bin/expiry
chmod u-s /usr/bin/gpasswd setcap cap_chown,cap_dac_override,cap_setuid+ep /usr/bin/gpasswd
chmod u-s /usr/bin/newgrp setcap cap_dac_override,cap_setgid+ep /usr/bin/newgrp
chmod u-s /usr/bin/passwd setcap cap_chown,cap_dac_override,cap_fowner+ep /usr/bin/passwd
sudo
Current version: 1.7.0-1
Sudo do not work without setuid.
util-linux-ng
Current version: 2.14.2-1
chmod u-s /bin/mount setcap cap_dac_override,cap_sys_admin+ep /bin/mount
chmod u-s /bin/umount setcap cap_dac_override,cap_sys_admin+ep /bin/umount
[extra]
apache
cups
fuse
kdebase-workspace
pmount
Current version: 0.9.19-2
Do not work without setuid.
schroot
screen
Current version: 4.0.3-6
Always need setuid to perform some security checks. See screen(1) man page.
xorg-xserver
Current version: 1.6.0-2
chmod u-s /usr/bin/Xorg setcap cap_chown,cap_dac_override,cap_sys_rawio,cap_sys_admin+ep /usr/bin/Xorg
[community]
Useful commands
Find setuid-root files
find /bin /sbin /lib /usr/bin /usr/sbin /usr/lib -perm +4000 -user root
Find setgid-root files
find /bin /sbin /lib /usr/bin /usr/sbin /usr/lib -perm +2000 -group root
Additional Resources
- Man Page capabilities(7) setcap(8) getcap(8)