It seems with one of the more recent updates of xscreensaver, /usr/lib64/misc/xscreensaver/sonar is now by default installed with capability cap_net_raw, allowing it to map the network and network response times.
It is my understanding that in the past the `suid` use flag of xscreensaver was supposed to control this privilege of the sonar screensaver.
Upstream now added a configure switch `--with-setcap-hacks` which defaults to `yes` that seems to be the cause of this silently added privilege.
This is a decline in default security and users can't even explicitly remove this behaviour via use flags at the moment.
I suggest to pass by default `--with-setcap-hacks=no` and either tie this setting to the existing to the existing `suid` use flag or add a new use flag specifically for the capability setting.
Steps to Reproduce:
1. emerge xscreensaver
2. getcap /usr/lib64/misc/xscreensaver/sonar
you will find that cap_net_raw is set on the sonar binary
no extra privileges should be set on the sonar binary by default
The bug has been referenced in the following commit(s):
Author: Jeroen Roovers <email@example.com>
AuthorDate: 2019-12-13 09:54:53 +0000
Commit: Jeroen Roovers <firstname.lastname@example.org>
CommitDate: 2019-12-13 09:58:14 +0000
x11-misc/xscreensaver: Add IUSE=caps
Package-Manager: Portage-2.3.81, Repoman-2.3.20
Signed-off-by: Jeroen Roovers <email@example.com>
x11-misc/xscreensaver/xscreensaver-5.43-r1.ebuild | 4 +++-
x11-misc/xscreensaver/xscreensaver-5.43-r2.ebuild | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)