On Thu, Oct 28, 2010 at 12:44:52PM +0530, Rahul Sundaram wrote:
This feature is now approved and I see bugs get filed. The documentation and guidelines are very incomplete. How does one figure out which file capabilities are needed by the programs I maintain that currently use setuid? Help, please.
Probably: remove setuid bit, run, see what breaks. strace may be useful
[pp@the ~]$ strace ./rsh localhost 2>&1|grep EACCES bind(3, {sa_family=AF_INET6, sin6_port=htons(1023), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
-> needs CAP_NET_BIND_SERVICE. It didn't seem to output any error to the user, so the lacking permissions may be well-hidden.
https://wiki.archlinux.org/index.php/Using_File_Capabilities_Instead_Of_Setu... seems to have a list btw., which may or may not be correct.
Do note that removing suid from some programs is a bad idea: "Warning: Do not use it, because mount and umount can not do some checks, then users can mount/umount filesystems that do not have permission." (probably those checks could/should be implemented upstream, if they're not already there)
So it's a feature that could introduce new vulnerabilities if done wrong, but it's certainly worth doing, carefully. If uncertain, ask.