I am trying to cherry-pick the suid binaries that end up in the filesystem, but ebuilds that use fcaps.eclass manage to circumvent the suidctl FEATURE. steps to replicate: (my /etc/portage/suidctl.conf does not allow /usr/sbin/mtr to be installed with the SUID bit set.) ~ # emerge -v mtr [..] >>> Performing suid scan in /local/portage/build/portage/net-analyzer/mtr-0.86/image/ >>> Removing sbit on non registered /usr/sbin/mtr >>> Appending commented out entry to /etc/portage/suidctl.conf for mtr-0.86 [..] ~ # ls -al `which mtr` -rws--x--x. 1 root root 90544 Jun 26 15:38 /usr/sbin/mtr ~ # grep mtr /etc/portage/suidctl.conf ## -rws--x--x. 1 root root 89K Jun 26 15:38 /usr/sbin/mtr #/usr/sbin/mtr the same happens with the net-misc/iputils package, but in that case even the -filecaps -caps USE flag gets _completely ignored_ and fcaps gets run even with those USE flags disabled. ~ # emerge -pv iputils [ebuild R ] net-misc/iputils-20121221-r1::gentoo USE="ipv6 ssl -SECURITY_HAZARD -caps -doc -filecaps -gnutls -idn -static" 0 KiB ~ # emerge -v iputils [..] ~ # ls -al /bin/ping* -rws--x--x. 1 root root 43200 Jun 26 15:50 /bin/ping -rws--x--x. 1 root root 43600 Jun 26 15:50 /bin/ping6 ~ # grep -c ping /etc/portage/suidctl.conf 0 basically both packages install suid binaries even if filecaps is disabled and suidctl does not allow those binaries to end up with the suid bit set. ~ # emerge --info Portage 2.2.18 (python 2.7.9-final-0, hardened/linux/amd64/no-multilib/selinux, gcc-4.7.4, glibc-2.20-r2, 3.14.44-grsec-s005 x86_64) ================================================================= System uname: Linux-3.14.44-grsec-s005-x86_64-Intel-R-_Xeon-R-_CPU_X3460_@_2.80GHz-with-gentoo-2.2 KiB Mem: 1014560 total, 91592 free KiB Swap: 4194300 total, 4183348 free Timestamp of repository gentoo: Fri, 26 Jun 2015 11:30:01 +0000 sh bash 4.3_p33-r2 ld GNU ld (Gentoo 2.24 p1.4) 2.24 app-shells/bash: 4.3_p33-r2::gentoo dev-lang/perl: 5.20.2::gentoo dev-lang/python: 2.7.9-r1::gentoo, 3.2.5-r6::gentoo dev-util/cmake: 3.2.2::gentoo dev-util/pkgconfig: 0.28-r2::gentoo sys-apps/baselayout: 2.2::gentoo sys-apps/openrc: 0.16.4::gentoo sys-apps/sandbox: 2.6-r1::gentoo sys-devel/autoconf: 2.69::gentoo sys-devel/automake: 1.11.6-r1::gentoo, 1.12.6::gentoo, 1.13.4::gentoo, 1.14.1::gentoo sys-devel/binutils: 2.24-r3::gentoo sys-devel/gcc: 4.7.4::gentoo, 4.8.4::gentoo sys-devel/gcc-config: 1.7.3::gentoo sys-devel/libtool: 2.4.6::gentoo sys-devel/make: 4.1-r1::gentoo sys-kernel/linux-headers: 3.18::gentoo (virtual/os-headers) sys-libs/glibc: 2.20-r2::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 peter-s_overlay location: /local/portage/overlay sync-type: rsync sync-uri: rsync://CENSORED/portage-overlay/ masters: gentoo priority: 0 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /etc/stunnel/stunnel.conf /local/adm/bin /usr/share/gnupg/qualified.txt /var/service" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.6/ext-active/ /etc/php/cgi-php5.6/ext-active/ /etc/php/cli-php5.6/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe" DISTDIR="/local/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs buildpkg collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms strict suidctl unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j2" PKGDIR="/local/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/local/portage/build" USE="acl amd64 bzip2 caps crypt cxx hardened ipv4 ipv6 ncurses nptl open_perms pcre pic pie readline selinux ssl ssp threads unicode xattr zlib" ABI_X86="64" CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" CURL_SSL="openssl" ELIBC="glibc" GRUB_PLATFORMS="efi-64 pc" KERNEL="linux" NGINX_MODULES_HTTP="access auth_basic autoindex browser fastcgi gzip gzip_static headers_more limit_req limit_conn proxy referer rewrite stub_status" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7" USERLAND="GNU" USE_PYTHON="2.7" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS possible fixes: move fcaps
Maybe fcaps should not call chmod 4711 as a fallback when called in pkg_postinst. It should be fine if it is called in an earlier phase function. That would basically mean that ebuilds would need to ensure relevant binaries have the suid bit set in src_install and not rely on fcaps being called in pkg_postinst.
(In reply to Mike Gilbert from comment #1) that isn't feasible as long as PMS doesn't guarantee state $D->$ROOT *** This bug has been marked as a duplicate of bug 460810 ***