r1670 - in trunk/BOOK: chapter01 chapter06

Sun, 21 Aug 2011 00:29:53 -0700 

Author: robert
Date: 2011-08-21 01:29:43 -0600 (Sun, 21 Aug 2011)
New Revision: 1670

Modified:
   trunk/BOOK/chapter01/changelog.xml
   trunk/BOOK/chapter06/shadow.xml
   trunk/BOOK/chapter06/util-linux-ng.xml
Log:
Stop using capabilities with Shadow and Util-linux-ng. They're vulnerable to 
race conditions.

Modified: trunk/BOOK/chapter01/changelog.xml
===================================================================
--- trunk/BOOK/chapter01/changelog.xml  2011-08-21 06:51:57 UTC (rev 1669)
+++ trunk/BOOK/chapter01/changelog.xml  2011-08-21 07:29:43 UTC (rev 1670)
@@ -43,6 +43,10 @@
         <listitem>
           <para>[robert] - Be verbose (-v) with setcap.</para>
         </listitem>
+       <listitem>
+         <para>[robert] - Stop using capabilities with Shadow and 
Util-linux-ng.
+         They're vulnerable to race conditions.</para>
+       </listitem>
       </itemizedlist>
     </listitem>
 

Modified: trunk/BOOK/chapter06/shadow.xml
===================================================================
--- trunk/BOOK/chapter06/shadow.xml     2011-08-21 06:51:57 UTC (rev 1669)
+++ trunk/BOOK/chapter06/shadow.xml     2011-08-21 07:29:43 UTC (rev 1670)
@@ -103,6 +103,8 @@
 
 <screen><userinput remap="install">mv -v /usr/bin/passwd 
/bin</userinput></screen>
 
+<!-- Note: Some of these are vulnerable to race conditions
+
     <para>Use Linux Capabilities instead of suid:</para>
 
 <screen><userinput remap="install">chmod -v -s /usr/bin/chage
@@ -121,6 +123,7 @@
 setcap -v CAP_DAC_READ_SEARCH,CAP_SETUID,CAP_SETGID=ep /bin/su
 chmod -v -s /bin/passwd
 setcap -v CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_SETUID=ep 
/bin/passwd</userinput></screen>
+-->
 
     <!-- <para>Move Shadow's libraries to more appropriate locations:</para>
 

Modified: trunk/BOOK/chapter06/util-linux-ng.xml
===================================================================
--- trunk/BOOK/chapter06/util-linux-ng.xml      2011-08-21 06:51:57 UTC (rev 
1669)
+++ trunk/BOOK/chapter06/util-linux-ng.xml      2011-08-21 07:29:43 UTC (rev 
1670)
@@ -96,6 +96,8 @@
 
 <screen><userinput remap="install">make install</userinput></screen>
 
+<!-- Note: These are vulnerable to race conditions
+
     <para>Use Linux Capabilities instead of suid (FIXME: wall and write are 
suid too):</para>
 
 <screen><userinput remap="install">chmod -v -s /bin/mount
@@ -103,6 +105,7 @@
 chmod -v -s /bin/umount
 setcap -v CAP_SYS_ADMIN=ep /bin/umount
 </userinput></screen>
+-->
 
   </sect2>
 

-- 
http://linuxfromscratch.org/mailman/listinfo/hlfs-book
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page

Reply via email to