diff options
author | Andrew G. Morgan <morgan@kernel.org> | 2019-12-13 17:30:23 -0800 |
---|---|---|
committer | Andrew G. Morgan <morgan@kernel.org> | 2019-12-13 17:30:23 -0800 |
commit | 2b5f5635be6131d7e89b4c6244b29f32ebd163c1 (patch) | |
tree | 496b977ac4a94ee632eeece27946660d127878ea /Make.Rules | |
parent | 2bd8e293982acc034554b7f66d6b969f24199876 (diff) | |
download | libcap-2b5f5635be6131d7e89b4c6244b29f32ebd163c1.tar.gz |
Restructure the make files into build vs. test
Also install the Go packages if built.
Remove a default behavior of installing an inheritable bit on setcap.
I'm getting alarmed that some distributions are setting the inheritable
set to full for all users. So, I don't want to provide a vector for
a trivial exploit, and hope they are not reinventing this:
https://sites.google.com/site/fullycapable/Home/thesendmailcapabilitiesissue
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Diffstat (limited to 'Make.Rules')
-rw-r--r-- | Make.Rules | 37 |
1 files changed, 30 insertions, 7 deletions
@@ -86,15 +86,38 @@ CGO_LDFLAGS_ALLOW := -Wl,-wrap,.+ CGO_REQUIRED=$(shell $(topdir)/go/cgo-required.sh) endif -# When installing setcap, set its inheritable bit to be able to place -# capabilities on files. It can be used in conjunction with pam_cap -# (associated with su and certain users say) to make it useful for -# specially blessed users. If you wish to drop this install feature, -# use this command when running install +# When installing setcap, you can arrange for the installation process +# to set its inheritable bit to be able to place capabilities on files. +# It can be used in conjunction with pam_cap (associated with su and +# certain users say) to make it useful for specially blessed users. # -# make RAISE_SETFCAP=no install +# make RAISE_SETFCAP=yes install # -RAISE_SETFCAP := yes +# This is now defaulted to no because some distributions have started +# shipping with all users blessed with full inheritable sets which makes +# no sense whatsoever! +# +# Indeed, it looks alarmingly like these distributions are recreating +# the environment for what became known as the sendmail-capabilities +# bug from 2000: +# +# https://sites.google.com/site/fullycapable/Home/thesendmailcapabilitiesissue +# +# they are also nullifying the difference between a p-bit and an i-bit. +# +# Folk really should read this document, which explains there is a really +# important difference being lost here: +# +# https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/33528.pdf +# +# In the context of this tree, on such such systems, a yes setting will +# guarantee that every user, by default, is able to bless any binary with +# any capability - a ready made local exploit machanism. +RAISE_SETFCAP := no + +# If set to yes, this will cause the go "web" demo app to force the needed p +# bit to be able to bind to port 80 without running as root. +RAISE_GO_FILECAP := no # Global cleanup stuff |