I mentioned Linux capabilities (setcap/getcap commands) briefly during last night's round-table session, and Trevor mentioned that he thought that recent Fedora releases had eliminated the use of setuid-root binaries in favour of capabilities-based binaries. (That's the stated goal, in any case.)
Not sure about the very latest Fedora/Rawhide releases, but here are the numbers on a Fedora 21 host I was able to quickly check...
$ getcap /usr/*bin/*|wc -l 10 $ ls -l /usr/*bin/*|grep '^...s'|wc -l 21 $ ls -l /usr/*bin/*|grep '^......s'|wc -l 7 $
All of the setuid binaries (in the second command) are setuid-root. The setgid binaries (last command) have varying group ID's.
For comparison, here are the numbers on an EL7 host...
$ getcap /usr/*bin/*|wc -l 8 $ ls -l /usr/*bin/*|grep '^...s'|wc -l 23 $ ls -l /usr/*bin/*|grep '^......s'|wc -l 9 $
The difference in counts between the two hosts likely has more to do with specific packages loaded than with actual differences in the distros, though.
Note that Linux capabilities are intended to grant only specific kernel-based rights that were otherwise restricted to root, so it likely won't eliminate all setuid/setgid use cases, without some more drastic coding solutions.
Gilbert
On 2015-09-09 Gilbert E. Detillieux wrote:
I mentioned Linux capabilities (setcap/getcap commands) briefly during last night's round-table session, and Trevor mentioned that he thought that recent Fedora releases had eliminated the use of setuid-root binaries in favour of capabilities-based binaries. (That's the stated goal, in any case.)
Ya, I thought it over and checked my system and it turns out I was thinking about suid scripts; perl in particular. An update or two ago they got rid of suid perl completely, as in made it impossible, and I had to scramble to get some things to work by using sudoers (not capabilities). I guess caps are the next Big Thing. I'll wait until they disable sudoers... (yes Adam, *BSD, grumble grumble.)
Lol. Actually, OpenBSD has removed sudo (and replaced it with doas). FreeBSD was an early entrant to the Capabilities game with Capiscum, which continues to be one of the leading platforms for it. No idea what NetBSD does. On the other hand, Solaris and AIX (at least) have had Capabilities for at least 15yrs while no-one else noticed. IIRC, UnixWare had them back in 1993! So, really, anyone who thinks this is *new* technology that Linux is introducing (and aren't we just so much more advanced than everyone else)... sorry, dead wrong. (Even *Windows* has had this since the early 90s.) -Adam
On September 15, 2015 8:23:07 PM CDT, Trevor Cordes trevor@tecnopolis.ca wrote:
On 2015-09-09 Gilbert E. Detillieux wrote:
I mentioned Linux capabilities (setcap/getcap commands) briefly during last night's round-table session, and Trevor mentioned that he thought that recent Fedora releases had eliminated the use of setuid-root binaries in favour of capabilities-based binaries. (That's the stated goal, in any case.)
Ya, I thought it over and checked my system and it turns out I was thinking about suid scripts; perl in particular. An update or two ago they got rid of suid perl completely, as in made it impossible, and I had to scramble to get some things to work by using sudoers (not capabilities). I guess caps are the next Big Thing. I'll wait until they disable sudoers... (yes Adam, *BSD, grumble grumble.) _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
Dare I say it ... VMS ;-)
On Tue, Sep 15, 2015, 22:55 Adam Thompson athompso@athompso.net wrote:
Lol. Actually, OpenBSD has removed sudo (and replaced it with doas). FreeBSD was an early entrant to the Capabilities game with Capiscum, which continues to be one of the leading platforms for it. No idea what NetBSD does. On the other hand, Solaris and AIX (at least) have had Capabilities for at least 15yrs while no-one else noticed. IIRC, UnixWare had them back in 1993! So, really, anyone who thinks this is *new* technology that Linux is introducing (and aren't we just so much more advanced than everyone else)... sorry, dead wrong. (Even *Windows* has had this since the early 90s.) -Adam
On September 15, 2015 8:23:07 PM CDT, Trevor Cordes trevor@tecnopolis.ca wrote:
On 2015-09-09 Gilbert E. Detillieux wrote:
I mentioned Linux capabilities (setcap/getcap commands) briefly during last night's round-table session, and Trevor mentioned that he thought that recent Fedora releases had eliminated the use of setuid-root binaries in favour of capabilities-based binaries. (That's the stated goal, in any case.)
Ya, I thought it over and checked my system and it turns out I was thinking about suid scripts; perl in particular. An update or two ago they got rid of suid perl completely, as in made it impossible, and I had to scramble to get some things to work by using sudoers (not capabilities). I guess caps are the next Big Thing. I'll wait until they disable sudoers... (yes Adam, *BSD, grumble grumble.)
Roundtable m! ailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
-- Sent from my Android device with K-9 Mail. Please excuse my brevity. _______________________________________________ Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
-
Adam Thompson -
Dan Keizer -
Gilbert E. Detillieux -
Trevor Cordes