It seems with one of the more recent updates of xscreensaver, /usr/lib64/misc/xscreensaver/sonar is now by default installed with capability cap_net_raw, allowing it to map the network and network response times. It is my understanding that in the past the `suid` use flag of xscreensaver was supposed to control this privilege of the sonar screensaver. Upstream now added a configure switch `--with-setcap-hacks` which defaults to `yes` that seems to be the cause of this silently added privilege. This is a decline in default security and users can't even explicitly remove this behaviour via use flags at the moment. I suggest to pass by default `--with-setcap-hacks=no` and either tie this setting to the existing to the existing `suid` use flag or add a new use flag specifically for the capability setting. Reproducible: Always Steps to Reproduce: 1. emerge xscreensaver 2. getcap /usr/lib64/misc/xscreensaver/sonar Actual Results: you will find that cap_net_raw is set on the sonar binary Expected Results: no extra privileges should be set on the sonar binary by default
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39f6b50d8542413ba49747c3ae2d523b207718f3 commit 39f6b50d8542413ba49747c3ae2d523b207718f3 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2019-12-13 09:54:53 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2019-12-13 09:58:14 +0000 x11-misc/xscreensaver: Add IUSE=caps Package-Manager: Portage-2.3.81, Repoman-2.3.20 Bug: https://bugs.gentoo.org/702652 Signed-off-by: Jeroen Roovers <jer@gentoo.org> x11-misc/xscreensaver/xscreensaver-5.43-r1.ebuild | 4 +++- x11-misc/xscreensaver/xscreensaver-5.43-r2.ebuild | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-)