desktop-packages team mailing list archive

[BobD <1371695@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

There are strong reasons to not run processes with full root privileges,
and much work has been done to eliminate setuid executables from the
distros.

One tool in the toolbox for more secure processes is capabilities(7),
which was defined in the (now withdrawn) POSIX 1e draft standard
(http://wt.tuxomania.net/publications/posix.1e/download/Posix_1003.1e-990310.pdf.bz2).
It provides a way to grant a process a finer-grained set of privileges
rather than full root privileges.

The RPM packaging system has supported capabilities via the %caps file
directive since release 4.7
(http://www.rpm.org/wiki/Releases/4.7.0#POSIX.1edraft15filecapabilities).

deb packages should similarly support a way to specify that capabilities
be set on delivered files, to encourage the adoption of more secure
practices on Debian systems.

Most daemons currently running as root do not require full root
privileges, and would be more secure running at low privilege with
specifically-defined capabilities as required. This would reduce the
security vulnerability footprint of such processes and also enhance
security analysis of such processes by explicitly declaring security
requirements via the capabilities set. Even if we do not tackle this
approach with all processes today, encouraging this approach will lead
to better security practices.

** Affects: dh-make
     Importance: Undecided
         Status: New

** Information type changed from Private Security to Public

** Description changed:

  There are strong reasons to not run processes with full root privileges,
  and much work has been done to eliminate setuid executables from the
  distros.
  
- One tool in the quiver for more secure processes is capabilities(7),
+ One tool in the toolbox for more secure processes is capabilities(7),
  which was defined in the (now withdrawn) POSIX 1e draft standard
  (http://wt.tuxomania.net/publications/posix.1e/download/Posix_1003.1e-990310.pdf.bz2).
  It provides a way to grant a process a finer-grained set of privileges
  rather than full root privileges.
  
  The RPM packaging system has supported capabilities via the %caps file
  directive since release 4.7
  (http://www.rpm.org/wiki/Releases/4.7.0#POSIX.1edraft15filecapabilities).
  
  deb packages should similarly support a way to specify that capabilities
  be set on delivered files, to encourage the adoption of more secure
  practices on Debian systems.
  
  Most daemons currently running as root do not require full root
  privileges, and would be more secure running at low privilege with
  specifically-defined capabilities as required. This would reduce the
  security vulnerability footprint of such processes and also enhance
  security analysis of such processes by explicitly declaring security
  requirements via the capabilities set. Even if we do not tackle this
  approach with all processes today, encouraging this approach will lead
  to better security practices.

** Package changed: software-center (Ubuntu) => dh-make

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to software-center in Ubuntu.
https://bugs.launchpad.net/bugs/1371695

Title:
  .deb packages do not support capabilties(7)

Status in dh-make - debhelper make:
  New

Bug description:
  There are strong reasons to not run processes with full root
  privileges, and much work has been done to eliminate setuid
  executables from the distros.

  One tool in the toolbox for more secure processes is capabilities(7),
  which was defined in the (now withdrawn) POSIX 1e draft standard
  (http://wt.tuxomania.net/publications/posix.1e/download/Posix_1003.1e-990310.pdf.bz2).
  It provides a way to grant a process a finer-grained set of privileges
  rather than full root privileges.

  The RPM packaging system has supported capabilities via the %caps file
  directive since release 4.7
  (http://www.rpm.org/wiki/Releases/4.7.0#POSIX.1edraft15filecapabilities).

  deb packages should similarly support a way to specify that
  capabilities be set on delivered files, to encourage the adoption of
  more secure practices on Debian systems.

  Most daemons currently running as root do not require full root
  privileges, and would be more secure running at low privilege with
  specifically-defined capabilities as required. This would reduce the
  security vulnerability footprint of such processes and also enhance
  security analysis of such processes by explicitly declaring security
  requirements via the capabilities set. Even if we do not tackle this
  approach with all processes today, encouraging this approach will lead
  to better security practices.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dh-make/+bug/1371695/+subscriptions