[arch-general] Policy about packages and file capabilities

Leonid Isaev leonid.isaev at jila.colorado.edu
Mon Nov 16 19:09:08 UTC 2015


On Mon, Nov 16, 2015 at 07:51:30PM +0100, Damjan Georgievski wrote:
> What's the policy about capabilities for executables in Arch packages?

I _guess_ that capabilities are used to avoid SUID binaries when this is
secure.

> I'm asking since in my setup I'm running wpa_supplicant as the
> 'nobody' user, but I let it keep the NET_ADMIN and NET_RAW
> capabilities (excerpt from the .service file):

Read the caveat here: https://w1.fi/cgit/hostap/plain/wpa_supplicant/README .
Basically, you'll need a special user/group for executing
/usr/bin/wpa_supplicant.

In general, why is this necessary? What kind of attack (besides DoS) is
possible against wpa_supplicant?

Cheers,
-- 
Leonid Isaev
GPG fingerprints: DA92 034D B4A8 EC51 7EA6  20DF 9291 EE8A 043C B8C4
                  C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D


More information about the arch-general mailing list