| 1 |
On 05/20/2012 05:35 PM, Alex Efros wrote: |
| 2 |
> Hi! |
| 3 |
> |
| 4 |
> I'm not sure is this right place to ask… |
| 5 |
|
| 6 |
Oh no! You committed a grave sin asking here ... j/k :) You can always |
| 7 |
ask and if we don't know then we'll redirect. |
| 8 |
|
| 9 |
> |
| 10 |
> What is current status for filesystem's xattr, acl and caps? |
| 11 |
|
| 12 |
Working on it but progress is slow in gentoo. The biggest obstacles are |
| 13 |
almost out of the way though with portage and tar both supporting xattr |
| 14 |
now but only in ~arch. |
| 15 |
|
| 16 |
> |
| 17 |
> I'm usually keep all of this disabled in kernel, because I don't use them |
| 18 |
> and wanna avoid needless complexity. But today consolekit (which I don't |
| 19 |
> use, but which is installed anyway as someone's dependency) asked me to |
| 20 |
> enable CONFIG_TMPFS_POSIX_ACL. And I decide to check all this crap once again. |
| 21 |
> |
| 22 |
> I may be wrong here, but after glance look at it I got this impression: |
| 23 |
> |
| 24 |
> XATTR |
| 25 |
> Needed only if you use ACL or CAPS (or wanna play with custom file |
| 26 |
> attributes). |
| 27 |
> ACL |
| 28 |
> Not sure about consolekit requirement above, but otherwise it looks |
| 29 |
> useless (if you don't need to use complicated file permissions). |
| 30 |
> CAPS |
| 31 |
> Looks promising, it's always good to remove suid bit, BUT: |
| 32 |
> a) looks like only app which uses it now on my workstation is |
| 33 |
> wireshark, even /bin/ping is still installed suid |
| 34 |
> b) pam_cap.so doesn't used by default (not sure why) so you can't change |
| 35 |
> user's default capabilities using /etc/security/capability.conf |
| 36 |
> |
| 37 |
> So, until most/all suid apps in portage get CAPS support for me it looks |
| 38 |
> like it's better to switch off all these things. |
| 39 |
> |
| 40 |
|
| 41 |
Okay this is where I have to redirect you because I'm not aware of this |
| 42 |
particular issue, ie why consolekit needs tmpfs posix acls. To be |
| 43 |
clear, this means acl support on files that are on a tmpfs system. This |
| 44 |
was pushed upstream by redhat that needed it for selinux. But if you're |
| 45 |
not running a selinux system, i'm not sure why consolekit would need this. |
| 46 |
|
| 47 |
In general though, its safe to turn on xattr/acl/caps even if you don't |
| 48 |
use them, and in some cases, eg selinux or the new pax markings, you |
| 49 |
must have xattr. |
| 50 |
|
| 51 |
I don't think this answers your question but it does give you more context. |
| 52 |
|
| 53 |
|
| 54 |
-- |
| 55 |
Anthony G. Basile, Ph. D. |
| 56 |
Chair of Information Technology |
| 57 |
D'Youville College |
| 58 |
Buffalo, NY 14201 |
| 59 |
(716) 829-8197 |
Archives