On Fri, Feb 12, 2016 at 12:40:37PM +0000, Tom Hughes wrote: > On 12/02/16 12:24, Jakub Filak wrote: > >I believe that maintainers of packages like chrony will be really delighted > >with this change, while will not weaken security of Fedora for regular users. > > What part of chrony is setuid? I don't see an suid bit on any of it's > executables... Nor any file capabilities which is the other thing the manual > page says triggers this.
The chrony files don't have any set*id bits set, but the chronyd process, like many other daemons, calls setuid()/setgid() in order to drop root privileges. The proc(5) man page lists that as a reason for not producing a coredump. I was wondering what security implications would setting suid_dumpable to 2 by default had and why it needs to be restricted to development. -- Miroslav Lichvar -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
