On Thu, Oct 28, 2010 at 11:14:08AM +0300, Pekka Pietikainen wrote:
> On Thu, Oct 28, 2010 at 12:44:52PM +0530, Rahul Sundaram wrote:
> > This feature is now approved and I see bugs get filed. The documentation and
> > guidelines are very incomplete. How does one figure out which file
> > capabilities are needed by the programs I maintain that currently use setuid?Â
> > Help, please.
> Probably: remove setuid bit, run, see what breaks. strace may be useful
Don't do that. You have to *always* read the application source code to verify
that the change is safe. You have to verify all relevant shared libraries too.
> [pp@the ~]$ strace ./rsh localhost 2>&1|grep EACCES
> bind(3, {sa_family=AF_INET6, sin6_port=htons(1023), inet_pton(AF_INET6,
> "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES
> (Permission denied)
>
> -> needs CAP_NET_BIND_SERVICE. It didn't seem to output any error to the
> user, so the lacking permissions may be well-hidden.
That's completely wrong and dangerous point of view...
Karel
--
Karel Zak <kzak@xxxxxxxxxx>
http://karelzak.blogspot.com
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
