1 |
On 05/20/2012 05:35 PM, Alex Efros wrote: |
2 |
> Hi! |
3 |
> |
4 |
> I'm not sure is this right place to ask… |
5 |
|
6 |
Oh no! You committed a grave sin asking here ... j/k :) You can always |
7 |
ask and if we don't know then we'll redirect. |
8 |
|
9 |
> |
10 |
> What is current status for filesystem's xattr, acl and caps? |
11 |
|
12 |
Working on it but progress is slow in gentoo. The biggest obstacles are |
13 |
almost out of the way though with portage and tar both supporting xattr |
14 |
now but only in ~arch. |
15 |
|
16 |
> |
17 |
> I'm usually keep all of this disabled in kernel, because I don't use them |
18 |
> and wanna avoid needless complexity. But today consolekit (which I don't |
19 |
> use, but which is installed anyway as someone's dependency) asked me to |
20 |
> enable CONFIG_TMPFS_POSIX_ACL. And I decide to check all this crap once again. |
21 |
> |
22 |
> I may be wrong here, but after glance look at it I got this impression: |
23 |
> |
24 |
> XATTR |
25 |
> Needed only if you use ACL or CAPS (or wanna play with custom file |
26 |
> attributes). |
27 |
> ACL |
28 |
> Not sure about consolekit requirement above, but otherwise it looks |
29 |
> useless (if you don't need to use complicated file permissions). |
30 |
> CAPS |
31 |
> Looks promising, it's always good to remove suid bit, BUT: |
32 |
> a) looks like only app which uses it now on my workstation is |
33 |
> wireshark, even /bin/ping is still installed suid |
34 |
> b) pam_cap.so doesn't used by default (not sure why) so you can't change |
35 |
> user's default capabilities using /etc/security/capability.conf |
36 |
> |
37 |
> So, until most/all suid apps in portage get CAPS support for me it looks |
38 |
> like it's better to switch off all these things. |
39 |
> |
40 |
|
41 |
Okay this is where I have to redirect you because I'm not aware of this |
42 |
particular issue, ie why consolekit needs tmpfs posix acls. To be |
43 |
clear, this means acl support on files that are on a tmpfs system. This |
44 |
was pushed upstream by redhat that needed it for selinux. But if you're |
45 |
not running a selinux system, i'm not sure why consolekit would need this. |
46 |
|
47 |
In general though, its safe to turn on xattr/acl/caps even if you don't |
48 |
use them, and in some cases, eg selinux or the new pax markings, you |
49 |
must have xattr. |
50 |
|
51 |
I don't think this answers your question but it does give you more context. |
52 |
|
53 |
|
54 |
-- |
55 |
Anthony G. Basile, Ph. D. |
56 |
Chair of Information Technology |
57 |
D'Youville College |
58 |
Buffalo, NY 14201 |
59 |
(716) 829-8197 |