Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 564896

Summary: sys-apps/shadow: add support for fcaps.eclass
Product: Gentoo Linux Reporter: Nick Kossifidis <mickflemm>
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: UNCONFIRMED ---    
Severity: enhancement CC: pam-bugs+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---

Description Nick Kossifidis 2015-11-04 22:20:29 UTC
The various binaries that are part of sys-apps/shadow could use file capabilities instead of having the suid bit set. This would greatly decrease the number of suid binaries on the system and increase security. I tested the following on my hardened Gentoo setup and it works fine (most come from Arch linux's wiki):

# -l option allows for a user to see his/her account's password expiry date
/usr/bin/chage = cap_dac_read_search+ep

# changes the user's information (full name, phone number etc) on /etc/passwd
/usr/bin/chfn = cap_chown,cap_setuid+ep

# changes the user's login shell on /etc/passwd
/usr/bin/chsh = cap_chown,cap_setuid+ep

# checks if the user's password has expired and forces a password change in case it has
/usr/bin/expiry = cap_dac_override,cap_setgid+ep

# allows root and group administrators to set/change group passwords on /etc/gshadow
/usr/bin/gpasswd = cap_chown,cap_dac_override,cap_setuid+ep

# alows users to set their current group ID in case they know the group's password or are members of the group
/usr/bin/newgrp = cap_dac_override,cap_setgid+ep

# allows users to change their password on /etc/shadow
/usr/bin/passwd = cap_chown,cap_dac_override,cap_fowner+ep

# writes uid mappings on /proc/<pid>/uid_map
/usr/bin/newuidmap = cap_setuid+ep

# writes gid mappings on /proc/<pid>/guid_map
/usr/bin/newgidmap = cap_setgid+ep