Mail archive
alpine-devel

Re: [alpine-devel] 3.3 proposal: reduce number of SUID binaries as much as possible

From: Orion <systmkor_at_gmail.com>
Date: Fri, 29 May 2015 11:10:35 -0700

# Note
Trying to get rid of SUID/SGID executables from alpine-mini most likely
will intruduce more complexity. I concede that this may not be worth the
effort for the alpine-mini ISO as an install medium but as installation
options, like choosing between between dropbear and openssh for your
ssh daemon.

On Fri, 29 May 2015 11:42:31 -0500
William Pitcock <nenolod_at_dereferenced.org> wrote:

> As far as I know there's no SUID/SGID enabled packages in alpine-mini
> other than bbsuid which we install to proxy only the SUID-needing bits
> of busybox.

While most likely that is true there are programs that are symbolically
linked to /bin/bbsuid and don't strictly have to be.

* /bin/ping
* /bin/ping6
* /usr/bin/crontab
* /usr/bin/passwd
* /usr/bin/traceroute


# network tools
Could the need for /bin/bbsuid be possibly removed by using extended
file capabilities?


# passwd
The openwall project provides a shadow file mechanism that removes the
need for suid bit on passwd.

* http://openwall.com/tcb/

I've successfully compiled tcb on Alpine however I've not had the
chance to fully test it.


# cron
There are a variety of cron daemons out there and I believe one of them
provides a more fine grained controlled cron system. I think bcron may
be one.

* http://untroubled.org/bcron/

-- 
keybase.io/systmkor




---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Fri May 29 2015 - 11:10:35 UTC