[RndTbl] Linux capabilities vs setuid-root

Gilbert E. Detillieux gedetil at cs.umanitoba.ca
Wed Sep 9 12:31:22 CDT 2015


I mentioned Linux capabilities (setcap/getcap commands) briefly during 
last night's round-table session, and Trevor mentioned that he thought 
that recent Fedora releases had eliminated the use of setuid-root 
binaries in favour of capabilities-based binaries.  (That's the stated 
goal, in any case.)

Not sure about the very latest Fedora/Rawhide releases, but here are the 
numbers on a Fedora 21 host I was able to quickly check...

$ getcap /usr/*bin/*|wc -l
10
$ ls -l /usr/*bin/*|grep '^...s'|wc -l
21
$ ls -l /usr/*bin/*|grep '^......s'|wc -l
7
$

All of the setuid binaries (in the second command) are setuid-root.  The 
setgid binaries (last command) have varying group ID's.

For comparison, here are the numbers on an EL7 host...

$ getcap /usr/*bin/*|wc -l
8
$ ls -l /usr/*bin/*|grep '^...s'|wc -l
23
$ ls -l /usr/*bin/*|grep '^......s'|wc -l
9
$

The difference in counts between the two hosts likely has more to do 
with specific packages loaded than with actual differences in the 
distros, though.

Note that Linux capabilities are intended to grant only specific 
kernel-based rights that were otherwise restricted to root, so it likely 
won't eliminate all setuid/setgid use cases, without some more drastic 
coding solutions.

Gilbert

-- 
Manitoba UNIX User Group	E-mail: <gedetil at muug.mb.ca>
c/o Gilbert E. Detillieux	Web:	http://www.muug.mb.ca/
University of Manitoba		Phone:  (204)474-8161
Winnipeg MB CANADA  R3T 2N2	Fax:    (204)474-7609


More information about the Roundtable mailing list