< Features
No edit summary |
|||
| Line 13: | Line 13: | ||
== Current status == | == Current status == | ||
* Targeted release: [[Releases/15 | Fedora <15> ]] | * Targeted release: [[Releases/15 | Fedora <15> ]] | ||
* Last updated: (DATE) 2010-10- | * Last updated: (DATE) 2010-10-26 | ||
* Percentage of completion: | * Percentage of completion: 20% | ||
* Tracker Bug https://bugzilla.redhat.com/show_bug.cgi?id=646440 added | * Tracker Bug https://bugzilla.redhat.com/show_bug.cgi?id=646440 added | ||
| Line 21: | Line 21: | ||
== Detailed Description == | == Detailed Description == | ||
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | <!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | ||
We need to change the spec files of | We need to change the spec files of most applications that include a setuid application to remove the setuid flag and change to file capabilities. | ||
Package maintainers after making this change have to verify that their applications still work without the setuid app. In some cases this might not be possible. | Package maintainers after making this change have to verify that their applications still work without the setuid app. In some cases this might not be possible. | ||
Cases where you are and admin becoming root, su, sudo, ksu, userhelper will not be able to change. But I think all package maintainers should take a look at their setuid apps and see if they can do a better, more secure job using file capabilities. | |||
One example, I was able to remove most privs from newrole, now its only capability is the ability to send audit messages. | |||
== Benefit to Fedora == | == Benefit to Fedora == | ||
| Line 77: | Line 81: | ||
[[Category: | [[Category:FeatureReadyForWrangler]] | ||
<!-- When your feature page is completed and ready for review --> | <!-- When your feature page is completed and ready for review --> | ||
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler --> | <!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler --> | ||
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete--> | <!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete--> | ||
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process --> | <!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process --> | ||
Revision as of 20:07, 26 October 2010
Remove SETUid
Summary
File Capabilties have been present in the Operating System for a few releases now, it is time that we remove setuid applications and just assign the capapilities required by an application. This should make the applications and the Operating System more secure.
Owner
- Name: Daniel Walsh
- Email: <dwalsh@redhat.com>
Current status
- Targeted release: Fedora <15>
- Last updated: (DATE) 2010-10-26
- Percentage of completion: 20%
- Tracker Bug https://bugzilla.redhat.com/show_bug.cgi?id=646440 added
Detailed Description
We need to change the spec files of most applications that include a setuid application to remove the setuid flag and change to file capabilities.
Package maintainers after making this change have to verify that their applications still work without the setuid app. In some cases this might not be possible.
Cases where you are and admin becoming root, su, sudo, ksu, userhelper will not be able to change. But I think all package maintainers should take a look at their setuid apps and see if they can do a better, more secure job using file capabilities.
One example, I was able to remove most privs from newrole, now its only capability is the ability to send audit messages.
Benefit to Fedora
This will benefit Fedora by making it more secure.
Scope
Open up a tracker bug, then open a bugzilla on every package that includes setuid applications. We would like to have the Fedora packaging committee codify this in rules and perhaps rpmlint to have smarts about identifying setuid apps and recommending file capabilities.
How To Test
Do a complete install of all Fedora packages and then search for any applications that have the setuid flag. If they do then the Feature is not complete. For any application that was setuid and now uses file capabilities, we need to test that the applications still works as it used to. Test rpmlint on an spec file containing a setuid app, and make sure it prints a proper warning.
User Experience
No change in User Experience should be expected.
Dependencies
We have a dependency that every package that contains a setuid app, is changed by the package owner. Although if we get some/most packages we feel that we have improved the security of the system.
Contingency Plan
None Necessary
Documentation
We should change documentation on packaging guidelines to talk about using file capabilities.