Fedora 11: moving to posix file capabilities?
Panu Matilainen
pmatilai at laiskiainen.org
Thu Oct 30 18:41:06 UTC 2008
On Thu, 30 Oct 2008, seth vidal wrote:
> On Thu, 2008-10-30 at 20:25 +0200, Panu Matilainen wrote:
>> On Wed, 29 Oct 2008, Steve Grubb wrote:
>>
>>> On Wednesday 29 October 2008 06:37:32 Panu Matilainen wrote:
>>>> We have kernel support for storing capabilities on filesystem since 2.6.24
>>>> and recent libcap, both in F9 already.
>>>
>>> And we have also been busy updating everything else to support this:
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=449984
>>
>> Ah, thanks for the pointer.
>>
>>>
>>>> I just committed file capability support to rpm.org HEAD, filling in the
>>>> final(?) missing piece. Capability support is not going to be in rpm 4.6.0
>>>> but no reason they can't be pulled into 4.6.1 which is easily in F11
>>>> timeframe.
>>>
>>> We tried to support this in F-10 by having a test run with ping. We figured
>>> that is a simple well defined app that could be used as a test subject. We
>>> opened bz 455713 to document the change over. Turns out that people compile
>>> their own kernels and do not necessarily turn this on. So, what do we do in
>>> that case?
>>
>> People compiling their own kernels can hose their systems more
>> dramatically than this...
>>
>>>
>>>> Are we ready to start considering moving away from SUID bits to
>>>> capabilities, in Fedora 11 maybe?
>>>
>>> We tried and got turned back. How does rpm work on kernels that do not support
>>> file capabilities? I'd like to see us get past the initial objections so that
>>> we can start removing some of the setuid bits.
>>
>> Right now, installation of a package using capabilities will fail entirely
>> if kernel/filesystem doesn't support setting capabilities. Packages with
>> capabilities in them require rpmlib(FileCaps) feature, which rpm currently
>> provides if built with libcap support. It could (and probably should,
>> anyway) be made into a run-time tested feature, so that you'll get
>> something like this if running on kernel with no capability support:
>>
>> error: Failed dependencies:
>> rpmlib(FileCaps) <= 4.6.1-1 is needed by ...
>
> Except nothing really watches those rpmlib() deps much at all, does it?
Rpm itself does, so unless you use --nodeps (or the API equivalent of
that) it'll get caught before transaction starts.
- Panu -
More information about the fedora-devel-list
mailing list