How to replace setuid with file-system capabilities

Inspired by this question here is the follow-up:

As some of you may know setuid-binaries are dangerous, since some exploits use these to escalate their rights up to root.

Now it seems that there has been an interesting idea to replace setuid with different, more secure means.


Asked By: Nils


File system capabilities in Linux were added to allow more fine-grained control than setuid alone will allow. With setuid it’s a full escalation of effective privileges to the user (typically root). The capabilities(7) manpage provides the following description:

For the purpose of performing permission checks, traditional Unix
implementations distinguish two categories of pro‐ cesses: privileged
processes (whose effective user ID is 0, referred to as superuser or
root), and unprivileged pro‐ cesses (whose effective UID is
nonzero). Privileged processes bypass all kernel permission checks,
while unprivi‐ leged processes are subject to full permission checking
based on the process’s credentials (usually: effective UID, effective
GID, and supplementary group list).

Starting with kernel 2.2, Linux divides the privileges traditionally
associated with superuser into distinct units, known as capabilities,
which can be independently enabled and disabled. Capabilities are a
per-thread attribute.

If an application needs the ability to call chroot(), which is typically only allowed for root, CAP_SYS_CHROOT can be set on the binary rather than setuid. This can be done using the setcap command:

setcap CAP_SYS_CHROOT /bin/mybin

As of RPM version 4.7.0, capabilities can be set on packaged files using %caps.

Fedora 15 had a release goal of removing all setuid binaries tracked in this bug report. According to the bug report, this goal was accomplished.

The wikipedia article on Capability-based security is good read for anyone interested.

Answered By: jordanm
Categories: Answers Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.