Fedora 11: moving to posix file capabilities?
Steve Grubb
sgrubb at redhat.com
Wed Oct 29 19:02:11 UTC 2008
On Wednesday 29 October 2008 06:37:32 Panu Matilainen wrote:
> We have kernel support for storing capabilities on filesystem since 2.6.24
> and recent libcap, both in F9 already.
And we have also been busy updating everything else to support this:
https://bugzilla.redhat.com/show_bug.cgi?id=449984
> I just committed file capability support to rpm.org HEAD, filling in the
> final(?) missing piece. Capability support is not going to be in rpm 4.6.0
> but no reason they can't be pulled into 4.6.1 which is easily in F11
> timeframe.
We tried to support this in F-10 by having a test run with ping. We figured
that is a simple well defined app that could be used as a test subject. We
opened bz 455713 to document the change over. Turns out that people compile
their own kernels and do not necessarily turn this on. So, what do we do in
that case?
> Are we ready to start considering moving away from SUID bits to
> capabilities, in Fedora 11 maybe?
We tried and got turned back. How does rpm work on kernels that do not support
file capabilities? I'd like to see us get past the initial objections so that
we can start removing some of the setuid bits.
-Steve
More information about the fedora-devel-list
mailing list