[RndTbl] Linux capabilities vs setuid-root
Gilbert E. Detillieux
gedetil at cs.umanitoba.ca
Wed Sep 9 12:31:22 CDT 2015
I mentioned Linux capabilities (setcap/getcap commands) briefly during
last night's round-table session, and Trevor mentioned that he thought
that recent Fedora releases had eliminated the use of setuid-root
binaries in favour of capabilities-based binaries. (That's the stated
goal, in any case.)
Not sure about the very latest Fedora/Rawhide releases, but here are the
numbers on a Fedora 21 host I was able to quickly check...
$ getcap /usr/*bin/*|wc -l
10
$ ls -l /usr/*bin/*|grep '^...s'|wc -l
21
$ ls -l /usr/*bin/*|grep '^......s'|wc -l
7
$
All of the setuid binaries (in the second command) are setuid-root. The
setgid binaries (last command) have varying group ID's.
For comparison, here are the numbers on an EL7 host...
$ getcap /usr/*bin/*|wc -l
8
$ ls -l /usr/*bin/*|grep '^...s'|wc -l
23
$ ls -l /usr/*bin/*|grep '^......s'|wc -l
9
$
The difference in counts between the two hosts likely has more to do
with specific packages loaded than with actual differences in the
distros, though.
Note that Linux capabilities are intended to grant only specific
kernel-based rights that were otherwise restricted to root, so it likely
won't eliminate all setuid/setgid use cases, without some more drastic
coding solutions.
Gilbert
--
Manitoba UNIX User Group E-mail: <gedetil at muug.mb.ca>
c/o Gilbert E. Detillieux Web: http://www.muug.mb.ca/
University of Manitoba Phone: (204)474-8161
Winnipeg MB CANADA R3T 2N2 Fax: (204)474-7609
More information about the Roundtable
mailing list