I suggest to add fs capability support to statoverride.
(The fs capability set is a bit mask of capabilities that root can
specify for an executable, which will then automatically get these
capabilities, regardless of who runs them - somewhat like a broken-up
suid-root.)
At the moment no Linux filesystem I know supports capabilities, but
there are kernel patches[1] for somewhat limited (non-persistent)
support. Hopefully soon, ext2 & co will get capabilities - if we plan
ahead we will be ready.
Details:
* packages should start registring with capabilites. e.g.:
statoverride --add root root 4755 /bin/ping cap_net_raw
with the limitation that (for now) only suid-root programs may list
capabilities. The assumption is that the program will only need the
named capabilities to run correctly, but has to be suid-root if these
are not supported.
* statoverride will save the information alongside the other stuff
* dpkg will try to set the given capabilites, and verify if they have
been set.
- If the verify succeeds, the filesystem understands capabilities,
and the suid bit will be masked out of the mode.
- Otherwise, the mode is left alone, resulting in the program being
suid-root.
This should offer a smooth path to even less suid-root programs.
Footnotes:
[1] ftp://linux.kernel.org/pub/linux/libs/security/linux-privs/
--
Robbe
Attachment:
signature.ng
Description: PGP signature