diff options
Diffstat (limited to 'Make.Rules')
-rw-r--r-- | Make.Rules | 37 |
1 files changed, 30 insertions, 7 deletions
@@ -86,15 +86,38 @@ CGO_LDFLAGS_ALLOW := -Wl,-wrap,.+ CGO_REQUIRED=$(shell $(topdir)/go/cgo-required.sh) endif -# When installing setcap, set its inheritable bit to be able to place -# capabilities on files. It can be used in conjunction with pam_cap -# (associated with su and certain users say) to make it useful for -# specially blessed users. If you wish to drop this install feature, -# use this command when running install +# When installing setcap, you can arrange for the installation process +# to set its inheritable bit to be able to place capabilities on files. +# It can be used in conjunction with pam_cap (associated with su and +# certain users say) to make it useful for specially blessed users. # -# make RAISE_SETFCAP=no install +# make RAISE_SETFCAP=yes install # -RAISE_SETFCAP := yes +# This is now defaulted to no because some distributions have started +# shipping with all users blessed with full inheritable sets which makes +# no sense whatsoever! +# +# Indeed, it looks alarmingly like these distributions are recreating +# the environment for what became known as the sendmail-capabilities +# bug from 2000: +# +# https://sites.google.com/site/fullycapable/Home/thesendmailcapabilitiesissue +# +# they are also nullifying the difference between a p-bit and an i-bit. +# +# Folk really should read this document, which explains there is a really +# important difference being lost here: +# +# https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/33528.pdf +# +# In the context of this tree, on such such systems, a yes setting will +# guarantee that every user, by default, is able to bless any binary with +# any capability - a ready made local exploit machanism. +RAISE_SETFCAP := no + +# If set to yes, this will cause the go "web" demo app to force the needed p +# bit to be able to bind to port 80 without running as root. +RAISE_GO_FILECAP := no # Global cleanup stuff |