drop SECURITY_FILE_CAPABILITIES? (fwd)
Eric Paris
eparis at redhat.com
Wed Nov 11 16:40:17 UTC 2009
On Wed, 2009-11-11 at 11:32 -0500, Dave Jones wrote:
> On Wed, Nov 11, 2009 at 09:52:02AM -0500, Adam Jackson wrote:
> > On Tue, 2009-11-10 at 18:00 -0500, Dave Jones wrote:
> > > On Wed, Nov 11, 2009 at 09:56:57AM +1100, James Morris wrote:
> > > > How might this affect the Fedora kernel?
> > >
> > > We set it =y, so it wouldn't affect us if I understand correctly.
> > > Also, I'm not sure that anything in userspace is actually using
> > > this feature yet anyway.
> >
> > google codesearch to the rescue:
> >
> > http://google.com/codesearch?hl=en&sa=N&filter=0&q=prctl.*PR_CAPBSET_DROP
>
> afaik, that prctl is available regardless of the option being set.
> I meant I don't think anything we ship is using the file capabilities,
> which is a way of marking executable files with the caps they need
> instead of having them be setuid.
>
> (I'm not even sure what tool we would use to set those capabilities,
> or if we ship it)
/usr/sbin/setcap
from libcap
But you are right, Fedora makes no use of file capabilities anywhere in
the distro to my knowledge.
-Eric
More information about the Fedora-kernel-list
mailing list