| 1 |
On Tue, 02 Aug 2011 10:28:58 -0400 |
| 2 |
"Anthony G. Basile" <blueness@g.o> wrote: |
| 3 |
> I prefer capsetting in the PMS itself, with a nice clean function |
| 4 |
> which auto detects all the necessary conditions and transparently |
| 5 |
> preserves caps, as you suggest. Maybe this can be in EAPI=5. |
| 6 |
|
| 7 |
Would need a spec, along with a way of dealing with all the problems: |
| 8 |
what happens if the build fs supports caps but the install fs doesn't? |
| 9 |
What about if caps are supported on both but in different ways (tmpfs |
| 10 |
on some kernels)? Is it up to the PM to deal with that? How does the PM |
| 11 |
even know? |
| 12 |
|
| 13 |
> I'm also wondering if, in the mean time, it might be worth writing a |
| 14 |
> bash script and/or howto on converting as many binaries as possible |
| 15 |
> from setuid to caps --- hitting up all the usual suspects. Its not |
| 16 |
> ideal but might still be useful until we get this squarely in the PMS. |
| 17 |
|
| 18 |
PMS currently explicitly states that caps might get clobbered on a |
| 19 |
merge (because Portage does that sometimes). So if you're doing it now, |
| 20 |
it'd have to be as a pkg_postinst thing. But I'd strongly recommend not |
| 21 |
going that route, since it'll almost certainly go horribly wrong in a |
| 22 |
"your system randomly no longer works" kind of way... Better to ban |
| 23 |
things from using caps for now. |
| 24 |
|
| 25 |
-- |
| 26 |
Ciaran McCreesh |
Archives