FS#39686 - [inetutils] rsh, rcp and rlogin should use cap_net_bind_service, not setuid

Attached to Project: Arch Linux
Opened by Daniel Micay (thestinger) - Sunday, 30 March 2014, 07:15 GMT
Last edited by Eric Belanger (Snowman) - Thursday, 25 September 2014, 02:13 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Eric Belanger (Snowman)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 4
Private No

Details

The only permission these utilities require is the ability to bind to a port below 1024 which can be provided with cap_net_bind_service.

The iputils package has an example of this with cap_net_raw for ping/ping6:

https://projects.archlinux.org/svntogit/packages.git/tree/trunk/iputils.install?h=packages/iputils

A dependency on libcap will also need to be added to the package. I don't think a fallback to setuid needs to be included at all, since ext2, ext3, ext4, JFS, ReiserFS, XFS and Btrfs all support it capabilities (which are xattrs). The setuid bits can just be stripped out in the package function.
This task depends upon

Closed by  Eric Belanger (Snowman)
Thursday, 25 September 2014, 02:13 GMT
Reason for closing:  Implemented
Comment by Eric Belanger (Snowman) - Wednesday, 24 September 2014, 00:56 GMT
setcap doesn't work:

$ rsh localhost
rcmd: socket: Permission denied

rlogin: No access to privileged ports.

Same goes for rlogin.
Comment by Daniel Micay (thestinger) - Wednesday, 24 September 2014, 01:10 GMT
Using `chmod -s /usr/bin/rsh && setcap cap_net_bind_service=+ep /usr/bin/rsh` works fine here.
Comment by Eric Belanger (Snowman) - Thursday, 25 September 2014, 02:12 GMT
I followed the example too closely: I forgot to replace cap_net_raw by cap_net_bind_service. Implemented in inetutils-1.9.2-2 in [testing].

Loading...