FS#39686 - [inetutils] rsh, rcp and rlogin should use cap_net_bind_service, not setuid
Attached to Project:
Arch Linux
Opened by Daniel Micay (thestinger) - Sunday, 30 March 2014, 07:15 GMT
Last edited by Eric Belanger (Snowman) - Thursday, 25 September 2014, 02:13 GMT
Opened by Daniel Micay (thestinger) - Sunday, 30 March 2014, 07:15 GMT
Last edited by Eric Belanger (Snowman) - Thursday, 25 September 2014, 02:13 GMT
|
Details
The only permission these utilities require is the ability
to bind to a port below 1024 which can be provided with
cap_net_bind_service.
The iputils package has an example of this with cap_net_raw for ping/ping6: https://projects.archlinux.org/svntogit/packages.git/tree/trunk/iputils.install?h=packages/iputils A dependency on libcap will also need to be added to the package. I don't think a fallback to setuid needs to be included at all, since ext2, ext3, ext4, JFS, ReiserFS, XFS and Btrfs all support it capabilities (which are xattrs). The setuid bits can just be stripped out in the package function. |
This task depends upon
Closed by Eric Belanger (Snowman)
Thursday, 25 September 2014, 02:13 GMT
Reason for closing: Implemented
Thursday, 25 September 2014, 02:13 GMT
Reason for closing: Implemented
$ rsh localhost
rcmd: socket: Permission denied
rlogin: No access to privileged ports.
Same goes for rlogin.