| 1 |
On 08/02/2011 03:08 AM, Michał Górny wrote: |
| 2 |
> On Sun, 31 Jul 2011 16:00:40 -0400 |
| 3 |
> "Anthony G. Basile" <blueness@g.o> wrote: |
| 4 |
> |
| 5 |
>> On 07/31/2011 03:46 PM, Nirbheek Chauhan wrote: |
| 6 |
>>> On Sun, Jul 31, 2011 at 8:13 PM, Anthony G. Basile |
| 7 |
>>> <blueness@g.o> wrote: |
| 8 |
>>>> Hi everyone, |
| 9 |
>>>> |
| 10 |
>>>> A couple of days ago, bonsaikitten (Patrick), kerframil (Kerin |
| 11 |
>>>> Millar) and myself were talking about other distros moving away |
| 12 |
>>>> from setuid binaries towards caps. Openwall and Fedora are now |
| 13 |
>>>> setuid-less [1]. Some googling showed that Constanze has done |
| 14 |
>>>> quite a bit of work in the area and that there was a consensus to |
| 15 |
>>>> include functions to set caps within portage [2]. I don't know |
| 16 |
>>>> what, if anything has been done since then, but I'd like to lend |
| 17 |
>>>> my support. |
| 18 |
>>>> |
| 19 |
>>> One problem that came up was that a lot of people use tmpfs for |
| 20 |
>>> /var/tmp/portage, and tmpfs doesn't support xattrs which are needed |
| 21 |
>>> for setting caps. |
| 22 |
>>> |
| 23 |
>>> Linux 3.0 has added support for xattrs with tmpfs (the redhat folks |
| 24 |
>>> did the work, afaik), so that problem is partly solved now. |
| 25 |
>> |
| 26 |
>> I know, there are lots of places where xattrs is not supported that |
| 27 |
>> lead to the same problem. I'm tempted to respond with pkg_postinst() |
| 28 |
>> but I see QA problems written all over that. |
| 29 |
> |
| 30 |
> We can either do that or 'Future EAPI' capsetting in PMS. Then, a PM |
| 31 |
> could implement capsetting functions in a such way that they will |
| 32 |
> preserve caps internally to PM and re-set them when merging to livefs. |
| 33 |
> |
| 34 |
|
| 35 |
I prefer capsetting in the PMS itself, with a nice clean function which |
| 36 |
auto detects all the necessary conditions and transparently preserves |
| 37 |
caps, as you suggest. Maybe this can be in EAPI=5. |
| 38 |
|
| 39 |
I'm also wondering if, in the mean time, it might be worth writing a |
| 40 |
bash script and/or howto on converting as many binaries as possible from |
| 41 |
setuid to caps --- hitting up all the usual suspects. Its not ideal but |
| 42 |
might still be useful until we get this squarely in the PMS. |
| 43 |
|
| 44 |
-- |
| 45 |
Anthony G. Basile, Ph.D. |
| 46 |
Gentoo Linux Developer [Hardened] |
| 47 |
E-Mail : blueness@g.o |
| 48 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
| 49 |
GnuPG ID : D0455535 |
Archives