Fedora 11: moving to posix file capabilities?
Dax Kelson
dkelson at gurulabs.com
Sat Nov 1 07:14:05 UTC 2008
On Sat, 2008-11-01 at 01:09 -0600, Dax Kelson wrote:
> On Wed, 2008-10-29 at 15:02 -0400, Steve Grubb wrote:
>
> > We tried to support this in F-10 by having a test run with ping. We figured
> > that is a simple well defined app that could be used as a test subject. We
> > opened bz 455713 to document the change over. Turns out that people compile
> > their own kernels and do not necessarily turn this on. So, what do we do in
> > that case?
>
> I thought more about this.
>
> How about a check in rc.sysinit to see if the kernel supports
> capabilities?
>
> If the check fails it could do either or both of the following:
>
> 1. Display and log nasty warning message
> 2. Run the command: chmod u+s `cat /etc/posixcapbinaries`
>
> Doing 2. would be the "friendly" thing to give the user a non-broken
> system. It does make it a bit more complicated because you'd want some
> logic that if they booted back to a kernel with posix capabilities you
> stripped the suid bits. Also, rpm verity will complain.
Another idea.
Leave all the binaries with SUID bit set, but have the /etc/fstab have
'nosuid' on all the filesystems.
Again, have logic in rc.sysinit that detects posix capabilities status
of the kernel and if it is missing, remounts the filesystems with suid
support.
For all mounted filesystems
do
mount -o remount,suid $filesystem
done
With this idea you don't have to maintain state, and rpm verify will
always be happy.
Dax Kelson
Guru Labs
More information about the fedora-devel-list
mailing list