1 |
Grant Goodyear wrote: |
2 |
|
3 |
>>The user would like a way to disable linux compatability if your kernel |
4 |
>>does not support it by using the 'caps' use flag. Maybe I dont fully |
5 |
>>understand 'linux compatability' but if we're all running Gentoo, arent |
6 |
>>we all running linux in the first place? |
7 |
> |
8 |
> |
9 |
> It's "capabilities", not "compatability [sic]". My understanding |
10 |
> is that capabilities allow for partitioning of root's all-powerful |
11 |
> nature into fine-grained permissions. Thus, obtaining root is no longer |
12 |
> sufficient to do massive harm. I believe this notion is central to |
13 |
> selinux, but I'm not sure if anything else uses it at the moment. |
14 |
> |
15 |
> |
16 |
capabilities predates selinux and pretty much every other modern ACL/MAC |
17 |
system. You are correct about the purpose of capabilities though, the |
18 |
general use of them is to start up an app as root, like a daemon, do |
19 |
what it needs (bind < 1024, chroot, etc) and then drop capabilities that |
20 |
it does not need. At that point it's still running as root (uid=0) but |
21 |
doesn't have the ability to, for example, override dac controls or |
22 |
reconfigure network devices or reboot the system) |
23 |
|
24 |
>>My problem surfaces: Bind enables 'linux compatability' by default. |
25 |
>>Gentoo does have a linux compability flag (caps), but this is only to |
26 |
>>ENABLE linux compatability, not to disable it. I attempted to use the |
27 |
>>bugger's suggestion, but repoman got pissed on a full scan. Grant |
28 |
>>mentioned maybe making 'caps' part of the default use flag. |
29 |
> |
30 |
> |
31 |
> Actually, what I said is that capabilities should be disabled _unless_ |
32 |
> USE=caps, and that if there seemed to be a broad need for capabilities |
33 |
> for our users then we might want to discuss making it a default USE |
34 |
> flag. |
35 |
> |
36 |
capabilities should _never_ be disabled in an application, there is no |
37 |
reason for this, it's absolute silliness. Not only does capabilities add |
38 |
badly needed security to many apps but it's available in all linux |
39 |
kernels. There is an LSM capabilities module that may be confusing some |
40 |
people, more on this in a sec. |
41 |
|
42 |
> |
43 |
>>Basically I'd like a way of using a "reverse" use flag, -caps, and if |
44 |
>>-caps is set, disable linux compat; if the flag is not set, do not add |
45 |
>>any --config-option at all. |
46 |
> |
47 |
> |
48 |
> I don't think a reverse flag is needed here. The fact that bind only |
49 |
> has a --disable setting for capabilities and not an --enable is a bit |
50 |
> odd, but it doesn't require us to change how our USE flags work. If |
51 |
> USE=caps, then no flag needs to be sent to configure (but comment the |
52 |
> ebuild so there's a record that bind's configure is warped), but if |
53 |
> "caps" is not in USE, then send the --disable. |
54 |
> |
55 |
ok, grepping through the tree I see gnupg using this flag which doesn't |
56 |
actually enable/disable the use of capabilities but makes it aware of |
57 |
them. There may be other places where disabling capabilities may be |
58 |
acceptable risk for real time apps or something like that (i see |
59 |
jack-audio-connection-kit has the ability to explicitly enable them |
60 |
|
61 |
use caps && myconf="${myconf} --enable-capabilities --enable-stripped-jackd" |
62 |
|
63 |
The logic seems wrong there but I don't even know what that app does so |
64 |
I don't care. |
65 |
|
66 |
|
67 |
Now then, about LSM.. Capabilities are still hard coded into the kernel |
68 |
if you do _NOT_ use LSM (ie: selinux). That means every single Linux |
69 |
kernel has capabilies enabled and available. Once LSM is enabled the |
70 |
capabilities module takes over cap handling. This is why we recommend |
71 |
(strongly!) that the capabilities module be enabled with selinux. |
72 |
|
73 |
Joshua Brindle |
74 |
|
75 |
-- |
76 |
gentoo-dev@g.o mailing list |