Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 564896 - sys-apps/shadow: add support for fcaps.eclass
Summary: sys-apps/shadow: add support for fcaps.eclass
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal enhancement
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-11-04 22:20 UTC by Nick Kossifidis
Modified: 2023-06-17 02:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Nick Kossifidis 2015-11-04 22:20:29 UTC
The various binaries that are part of sys-apps/shadow could use file capabilities instead of having the suid bit set. This would greatly decrease the number of suid binaries on the system and increase security. I tested the following on my hardened Gentoo setup and it works fine (most come from Arch linux's wiki):

# -l option allows for a user to see his/her account's password expiry date
/usr/bin/chage = cap_dac_read_search+ep

# changes the user's information (full name, phone number etc) on /etc/passwd
/usr/bin/chfn = cap_chown,cap_setuid+ep

# changes the user's login shell on /etc/passwd
/usr/bin/chsh = cap_chown,cap_setuid+ep

# checks if the user's password has expired and forces a password change in case it has
/usr/bin/expiry = cap_dac_override,cap_setgid+ep

# allows root and group administrators to set/change group passwords on /etc/gshadow
/usr/bin/gpasswd = cap_chown,cap_dac_override,cap_setuid+ep

# alows users to set their current group ID in case they know the group's password or are members of the group
/usr/bin/newgrp = cap_dac_override,cap_setgid+ep

# allows users to change their password on /etc/shadow
/usr/bin/passwd = cap_chown,cap_dac_override,cap_fowner+ep

# writes uid mappings on /proc/<pid>/uid_map
/usr/bin/newuidmap = cap_setuid+ep

# writes gid mappings on /proc/<pid>/guid_map
/usr/bin/newgidmap = cap_setgid+ep