I suggest to add fs capability support to statoverride. (The fs capability set is a bit mask of capabilities that root can specify for an executable, which will then automatically get these capabilities, regardless of who runs them - somewhat like a broken-up suid-root.) At the moment no Linux filesystem I know supports capabilities, but there are kernel patches[1] for somewhat limited (non-persistent) support. Hopefully soon, ext2 & co will get capabilities - if we plan ahead we will be ready. Details: * packages should start registring with capabilites. e.g.: statoverride --add root root 4755 /bin/ping cap_net_raw with the limitation that (for now) only suid-root programs may list capabilities. The assumption is that the program will only need the named capabilities to run correctly, but has to be suid-root if these are not supported. * statoverride will save the information alongside the other stuff * dpkg will try to set the given capabilites, and verify if they have been set. - If the verify succeeds, the filesystem understands capabilities, and the suid bit will be masked out of the mode. - Otherwise, the mode is left alone, resulting in the program being suid-root. This should offer a smooth path to even less suid-root programs. Footnotes: [1] ftp://linux.kernel.org/pub/linux/libs/security/linux-privs/ -- Robbe
Attachment:
signature.ng
Description: PGP signature