[Bug 1207654] New: AUDIT-FIND: kismet: systemd service unnecessarily runs as root
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1207654 Bug ID: 1207654 Summary: AUDIT-FIND: kismet: systemd service unnecessarily runs as root Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: wolfgang.frisch@suse.com QA Contact: qa-bugs@suse.de CC: mardnh@gmx.de, meissner@suse.com, wolfgang.frisch@suse.com Depends on: 1200954 Found By: --- Blocker: --- +++ This bug was initially created as a clone of Bug #1200954 +++ kismet's systemd service unnecessarily runs as root. Upstream actually warns about it [1], since only the individual capture binaries require special privileges, but not the main kismet daemon. However we shouldn't adopt their recommendations verbatim, that is to install the capture binaries as setuid-root. Instead of setuid-root, we can use more fine-grained Linux capabilities [2]. Note there's already a submit request underway [3] with a number of systemd hardenings. We can keep those, and additionally drop privileges. [1] https://github.com/kismetwireless/kismet/blob/master/packaging/systemd/READM... [2] capabilities(7) setcap(8) [3] https://build.opensuse.org/request/show/1046457 -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1207654 Wolfgang Frisch <wolfgang.frisch@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on|1200954 | Assignee|security-team@suse.de |prusnak@opensuse.org -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1207654 Wolfgang Frisch <wolfgang.frisch@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |prusnak@opensuse.org Assignee|prusnak@opensuse.org |wolfgang.frisch@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1207654 Wolfgang Frisch <wolfgang.frisch@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1200954 -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1207654 https://bugzilla.suse.com/show_bug.cgi?id=1207654#c1 Wolfgang Frisch <wolfgang.frisch@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #1 from Wolfgang Frisch <wolfgang.frisch@suse.com> --- Since there was an older SR [1] from the security team still in flight, I decided to implemented the changes myself [2]. I also went through the suggested systemd hardenings and kept only those that don't interfere with the elevated capabilities required by the capture plugins. The new SR adds a new system user, drops all root privileges and incorporates some of jsegitz' automated systemd hardenings, e.g. disable access to /home. I tested basic WiFi capture functionality, which still works with the new restrictions in place. [1] https://build.opensuse.org/request/show/1046457 [2] https://build.opensuse.org/request/show/1063492 -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1207654 https://bugzilla.suse.com/show_bug.cgi?id=1207654#c2 --- Comment #2 from Wolfgang Frisch <wolfgang.frisch@suse.com> --- We decided to modernize the packaging while we're at it. The package now utilizes systemd-sysusers [1]. Apart from that we need two changes to rpmlint, one for the added user/group [2] and a whitelisting for the fs caps. I will submit the latter as soon as bsc#1200954 is resolved. [1] https://www.freedesktop.org/software/systemd/man/systemd-sysusers.html [2] https://github.com/rpm-software-management/rpmlint/pull/1001 -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1207654 https://bugzilla.suse.com/show_bug.cgi?id=1207654#c4 Wolfgang Frisch <wolfgang.frisch@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #4 from Wolfgang Frisch <wolfgang.frisch@suse.com> --- Released. https://build.opensuse.org/package/rdiff/openSUSE:Factory/kismet?linkrev=base&rev=56 -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com