Bug#933810: ax25-apps: axlisten should never be setuid
On Sat, Aug 03, 2019 at 09:18:12PM +0100, Iain R. Learmonth wrote:
> Package: ax25-apps
> Version: 0.0.8-rc4-2+b1
> Severity: minor
>
> Hi,
>
> ax25-apps is only built for Linux because this is the only kernel with
> AX.25 support. Linux also has filesystem capabilities and we can use
> this instead of setuid for the axlisten binary to allow operation by
> non-root users. We're already doing this for Xastir.
axlisten is comparable to tcpdump or wireshark, which also do not make
use of setuid bit (or anything else) for being started by non-root users.
about capabilities: yes, this may be a more secure approach.
But I just testet setcap cap_net_raw=ep without success.
> Perhaps we should actually get a static gid for this, because they're
> all apps that want to use AX.25 applications. Otherwise we'll end up
> with a load of dynamic groups.
vy 73,
- Thomas dl9sau
Reply to: