| 1 |
Grant Goodyear wrote: |
| 2 |
|
| 3 |
>>The user would like a way to disable linux compatability if your kernel |
| 4 |
>>does not support it by using the 'caps' use flag. Maybe I dont fully |
| 5 |
>>understand 'linux compatability' but if we're all running Gentoo, arent |
| 6 |
>>we all running linux in the first place? |
| 7 |
> |
| 8 |
> |
| 9 |
> It's "capabilities", not "compatability [sic]". My understanding |
| 10 |
> is that capabilities allow for partitioning of root's all-powerful |
| 11 |
> nature into fine-grained permissions. Thus, obtaining root is no longer |
| 12 |
> sufficient to do massive harm. I believe this notion is central to |
| 13 |
> selinux, but I'm not sure if anything else uses it at the moment. |
| 14 |
> |
| 15 |
> |
| 16 |
capabilities predates selinux and pretty much every other modern ACL/MAC |
| 17 |
system. You are correct about the purpose of capabilities though, the |
| 18 |
general use of them is to start up an app as root, like a daemon, do |
| 19 |
what it needs (bind < 1024, chroot, etc) and then drop capabilities that |
| 20 |
it does not need. At that point it's still running as root (uid=0) but |
| 21 |
doesn't have the ability to, for example, override dac controls or |
| 22 |
reconfigure network devices or reboot the system) |
| 23 |
|
| 24 |
>>My problem surfaces: Bind enables 'linux compatability' by default. |
| 25 |
>>Gentoo does have a linux compability flag (caps), but this is only to |
| 26 |
>>ENABLE linux compatability, not to disable it. I attempted to use the |
| 27 |
>>bugger's suggestion, but repoman got pissed on a full scan. Grant |
| 28 |
>>mentioned maybe making 'caps' part of the default use flag. |
| 29 |
> |
| 30 |
> |
| 31 |
> Actually, what I said is that capabilities should be disabled _unless_ |
| 32 |
> USE=caps, and that if there seemed to be a broad need for capabilities |
| 33 |
> for our users then we might want to discuss making it a default USE |
| 34 |
> flag. |
| 35 |
> |
| 36 |
capabilities should _never_ be disabled in an application, there is no |
| 37 |
reason for this, it's absolute silliness. Not only does capabilities add |
| 38 |
badly needed security to many apps but it's available in all linux |
| 39 |
kernels. There is an LSM capabilities module that may be confusing some |
| 40 |
people, more on this in a sec. |
| 41 |
|
| 42 |
> |
| 43 |
>>Basically I'd like a way of using a "reverse" use flag, -caps, and if |
| 44 |
>>-caps is set, disable linux compat; if the flag is not set, do not add |
| 45 |
>>any --config-option at all. |
| 46 |
> |
| 47 |
> |
| 48 |
> I don't think a reverse flag is needed here. The fact that bind only |
| 49 |
> has a --disable setting for capabilities and not an --enable is a bit |
| 50 |
> odd, but it doesn't require us to change how our USE flags work. If |
| 51 |
> USE=caps, then no flag needs to be sent to configure (but comment the |
| 52 |
> ebuild so there's a record that bind's configure is warped), but if |
| 53 |
> "caps" is not in USE, then send the --disable. |
| 54 |
> |
| 55 |
ok, grepping through the tree I see gnupg using this flag which doesn't |
| 56 |
actually enable/disable the use of capabilities but makes it aware of |
| 57 |
them. There may be other places where disabling capabilities may be |
| 58 |
acceptable risk for real time apps or something like that (i see |
| 59 |
jack-audio-connection-kit has the ability to explicitly enable them |
| 60 |
|
| 61 |
use caps && myconf="${myconf} --enable-capabilities --enable-stripped-jackd" |
| 62 |
|
| 63 |
The logic seems wrong there but I don't even know what that app does so |
| 64 |
I don't care. |
| 65 |
|
| 66 |
|
| 67 |
Now then, about LSM.. Capabilities are still hard coded into the kernel |
| 68 |
if you do _NOT_ use LSM (ie: selinux). That means every single Linux |
| 69 |
kernel has capabilies enabled and available. Once LSM is enabled the |
| 70 |
capabilities module takes over cap handling. This is why we recommend |
| 71 |
(strongly!) that the capabilities module be enabled with selinux. |
| 72 |
|
| 73 |
Joshua Brindle |
| 74 |
|
| 75 |
-- |
| 76 |
gentoo-dev@g.o mailing list |
Archives