[PLUG] [Updates]PLUG meeting on 6th Oct. at 5pm @SICSR

Arun Khan knura9 at gmail.com
Wed Oct 17 23:13:08 PDT 2012


On Tue, Oct 16, 2012 at 4:48 AM, Sunil Beta Baskar <betasam at gmail.com> wrote:
> On 11 October 2012 13:19, Arun Khan <knura9 at gmail.com> wrote:
>> On Sun, Oct 7, 2012 at 10:20 AM, Sunil Beta Baskar <betasam at gmail.com> wrote:
>>
>> ... snip ...
>>
>>> [ SetUID bit ]
>>> Behavior on linux-kernel 3.2.x with
>>> $ chmod a+s somefolder
>>> $ ls -ltr somefolder
>>> shows all files inside somefolder with their original rights and
>>> *owners* on ext4. This is on Debian Wheezy.
>>>
>>> Although the setUID bit is still used, it is not recommended if you
>>> want to have any sense of security on a system.
>>
>> Per your recommendation about usage of SetUID bit, please suggest
>> alternatives for the following that come to my mind offhand (I :
>>
>> $ for x in sudo X chsh passwd; do ls -l $(which ${x}); done
>> -rwsr-xr-x 1 root root 71248 Jan 31  2012 /usr/bin/sudo
>> -rwsr-sr-x 1 root root 10184 Mar 22  2012 /usr/bin/X
>> -rwsr-xr-x 1 root root 37096 Apr  9  2012 /usr/bin/chsh
>> -rwsr-xr-x 1 root root 42824 Apr  9  2012 /usr/bin/passwd
>
> The best alternative (except for sudo) is to use 'file capabilities'
> which can be manipulated using setcap. Here's a list of all the setuid
> programs in a GNU/Linux distribution and how you could remove
> setuid/setgid and choose file capabilities in a more fine-grained
> manner. The package candidate for installing setcap is libcap2-bin on
> my Debian Wheezy box.
>
> https://wiki.archlinux.org/index.php/Using_File_Capabilities_Instead_Of_Setuid
>
> X can be run without the setuid bit, that can be done if you have
> enough time to build it. The tough one from which you'd want to pull
> that setuid bit off would be 'mount'; right now it results in
> permission nightmares.
>

This needs a paradigm shift in the way distributions are built so
perhaps it should be addressed in the "developer" mailing list of the
respective distributions.

IMO, this is not in the realm of the average user.  IMO, majority of
the users are not capable of doing *or* have the time to do what you
are suggesting.

What parts of your suggestions,  have you incorporated into your
systems?   In case, you have please blog it - I am sure it will be an
interesting read :)

-- Arun Khan



More information about the plug-mail mailing list