Hi Steve, On Wed, Mar 02, 2022 at 07:11:42PM -0500, Steve Grubb wrote: > Hello, > > On Tuesday, March 1, 2022 6:43:57 PM EST Michel Alexandre Salim wrote: > > The subject of setuid came up in a private conversation recently, and to my > > surprise we don't seem to have it documented in the packaging guidelines: > > > > https://docs.fedoraproject.org/en-US/packaging-guidelines/ > > > > Per https://fedoraproject.org/wiki/Features/RemoveSETUID#Documentation > > > > "We should change documentation on packaging guidelines to talk about > > using file capabilities." > > > > but the only mention of capabilities seem to be that, if you use it or > > suid, PIE must be enabled: > > > > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_pie > > > > Should this be documented somewhere, or if it's there but it's lost in > > the wiki->docs migration, does anyone know where the documentation is? > > As someone involved in that change, the situation was much worse back in > 2011. Almost everything was running as root. The inspection tools back then > were non-existent, which is what I wrote pscap and netcap. > > Now, a lot of things use capabilities with a few still running as root when > they don't need to be. But I have not looked at all daemons. The lesser used > ones may need checking. But I think maybe some guidance could be good. > Something like: > <snip> That's really comprehensive, thanks. Can we document this? I'm a bit worried about the situation where a packager and a reviewer don't have the institutional memory of "we recommend capabilities over setuid/setgid" and new setuid packages creeping in again. Best regards, -- Michel Alexandre Salim identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/packaging@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure