Bug ID 1207654
Summary AUDIT-FIND: kismet: systemd service unnecessarily runs as root
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter wolfgang.frisch@suse.com
QA Contact qa-bugs@suse.de
CC mardnh@gmx.de, meissner@suse.com, wolfgang.frisch@suse.com
Depends on 1200954
Found By ---
Blocker --- 

+++ This bug was initially created as a clone of Bug #1200954 +++

kismet's systemd service unnecessarily runs as root. Upstream actually warns
about it [1], since only the individual capture binaries require special
privileges, but not the main kismet daemon. However we shouldn't adopt their
recommendations verbatim, that is to install the capture binaries as
setuid-root. Instead of setuid-root, we can use more fine-grained Linux
capabilities [2].

Note there's already a submit request underway [3] with a number of systemd
hardenings. We can keep those, and additionally drop privileges.

[1]
https://github.com/kismetwireless/kismet/blob/master/packaging/systemd/README
[2] capabilities(7) setcap(8)
[3] https://build.opensuse.org/request/show/1046457

You are receiving this mail because: