Skip to content
GitLab

ban indiscriminate setcap usage

many aports use setcap on globally-executable programs. almost always, this is wrong. one egregious example is earlyoom, which does setcap 'cap_kill,cap_ipc_lock,cap_setpcap=+ep' usr/bin/earlyoom. this allows any user on the system to trivially kill selective processes by simply running earlyoom -m 99 --prefer whatever. cap_setpcap is even more terrible, since it could potentially allow bypassing the entire multi-user security framework, and apparently isn't even needed by earlyoom? similarly, timed does setcap cap_sys_time+ep "$pkgdir"/usr/bin/timed-qt5, which i believe allows anybody on the system to arbitrarily manipulate the system clock.

most packages do not do such terrible things, and only unnecessarily set cap_net_bind_service=+ep, or worse, cap_net_bind_service+eip, on main binary. while low-port security is not a critical aspect of modern Linux security, this could potentially be combined with e.g. killing sshd (see earlier) to install a fake sshd on port 22 to harvest passwords (albeit with wrong host keys).

it appears that in most cases, this is used as a dangerously insecure alternative to proper privilege separation in init script. the correct solution is to either use the program's own privilege dropping, or setpriv --reuid=UID --regid=GID --init-groups --inh-caps +whatever --ambient-caps +whatever, or some capsh equivalent. the latter two require separate helper programs to be installed (busybox setpriv is near-useless).

of current aports, kwin and powerdevil are ok because they use setcap to remove caps, not add them; netdata, wireshark, and i believe fping are ok because the programs are specifically designed to be suid; mpd and sn0int are dubious; earlyoom, timed, and probably corerad, nebula, ubridge, conntracct, and pcsx2 have serious vulnerabilities; and the rest give everybody cap_net_bind_service which is insecure but probably not horribly so.

in general, simply installing packages should not introduce new security vulnerabilities. using setcap on programs which were not specifically designed for it almost always results in this. therefore, i believe such usage should be prohibited, with exceptions on a case-by-case basis (netdata, wireshark, fping).

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information