Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 702652 - x11-misc/xscreensaver-5.43-r1 ships /usr/lib64/misc/xscreensaver/sonar with cap_net_raw by default
Summary: x11-misc/xscreensaver-5.43-r1 ships /usr/lib64/misc/xscreensaver/sonar with c...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Default Configs (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-13 09:14 UTC by Matthias Gerstner
Modified: 2019-12-13 09:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2019-12-13 09:14:12 UTC
It seems with one of the more recent updates of xscreensaver, /usr/lib64/misc/xscreensaver/sonar is now by default installed with capability cap_net_raw, allowing it to map the network and network response times.

It is my understanding that in the past the `suid` use flag of xscreensaver was supposed to control this privilege of the sonar screensaver.

Upstream now added a configure switch `--with-setcap-hacks` which defaults to `yes` that seems to be the cause of this silently added privilege.

This is a decline in default security and users can't even explicitly remove this behaviour via use flags at the moment.

I suggest to pass by default `--with-setcap-hacks=no` and either tie this setting to the existing to the existing `suid` use flag or add a new use flag specifically for the capability setting.

Reproducible: Always

Steps to Reproduce:
1. emerge xscreensaver
2. getcap /usr/lib64/misc/xscreensaver/sonar

Actual Results:  
you will find that cap_net_raw is set on the sonar binary

Expected Results:  
no extra privileges should be set on the sonar binary by default
Comment 1 Larry the Git Cow gentoo-dev 2019-12-13 09:58:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39f6b50d8542413ba49747c3ae2d523b207718f3

commit 39f6b50d8542413ba49747c3ae2d523b207718f3
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-12-13 09:54:53 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-12-13 09:58:14 +0000

    x11-misc/xscreensaver: Add IUSE=caps
    
    Package-Manager: Portage-2.3.81, Repoman-2.3.20
    Bug: https://bugs.gentoo.org/702652
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 x11-misc/xscreensaver/xscreensaver-5.43-r1.ebuild | 4 +++-
 x11-misc/xscreensaver/xscreensaver-5.43-r2.ebuild | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)