Feature changed by: Ludwig Nussel (lnussel) Feature #313210, revision 6 Title: get rid of all setuid binaries openSUSE Distribution: Unconfirmed Priority Requester: Important Requested by: Ludwig Nussel (lnussel) Requested by: Security Team (secteam) Partner organization: openSUSE.org Description: setuid binaries directly or indirectly cause a never ending stream of security issues due to bugs in various components: - the implementation of the binaries themselves (CVE-2011-2490, CVE-2011-1946, CVE-2011- 1485, CVE-2011-2145, CVE-2011-1675, CVE-2010-4170, CVE-2009-2948) - libraries linked into setuid binaries (CVE-2010-3853, CVE-2010-3316, CVE-2009-0360) - glibc resp the linker (CVE-2011-1658, CVE-2010-3847, CVE-2011-0536, CVE-2010-3192, CVE-2011-1089) - kernel (CVE-2012-0056, CVE-2011-1020, CVE-2010-2240, CVE-2010-0296, CVE-2011-1020, CVE-2009- 2848) Therefore we should strive to get rid of all setuid binaries and replace them with client/server implemenations. Discussion: #1: Sebastian Freundt (hroptatyr) (2012-02-09 12:04:47) How does a client/server implementation of ping(1) look like then? + #5: Ludwig Nussel (lnussel) (2012-02-09 12:52:17) (reply to #1) + The server part, e.g. a dbus service or some other process that listens + on a unix domain socket (potentially auto activated via systemd) does + the privileged operations. In case of ping the server part could either + only open the raw socket and pass the fd back or do all the work and + pass back only the actual output to the client. #2: Ned Ulbricht (ned_ulbricht) (2012-02-09 12:42:07) su and sudo are kind of pointless unless setuid #3: Marcus Meissner (msmeissn) (2012-02-09 03:49:03) (reply to #2) su and sudo can both be replaced by ssh root@localhost (optional with -X) but these are probably way down the TODO list. + #4: Ludwig Nussel (lnussel) (2012-02-09 12:52:08) (reply to #2) + they are not pointless but they need to be implemented differently, + something like a local telnet. -- openSUSE Feature: https://features.opensuse.org/313210