1 |
On 30/04/13 11:50, Joerg Schilling wrote: |
2 |
> Nikos Chantziaras <realnc@×××××.com> wrote: |
3 |
> |
4 |
>>> Would you call someone who shoots himself into the foot "smart"? |
5 |
>>> |
6 |
>>> Recent Linux kernels support fcaps in the filesystems and "somebody" evil, who |
7 |
>>> knows what he does may even set up fcaps on executable files when the related |
8 |
>>> support-software is not installed, just because the unstable kernel interfaces |
9 |
>>> are accessible from libc. |
10 |
>>> |
11 |
>>> Do you like people to be able to open security holes? |
12 |
>> |
13 |
>> You don't know what my intentions are and why I want to disable libcap. |
14 |
>> I have my reasons. This happens because it is actually possible to |
15 |
>> disable it. |
16 |
> |
17 |
> I explained why not having libcap by default is a security risk. |
18 |
> |
19 |
> You would need to explain your reasons, I currently cannot see a valid |
20 |
> reason to exclude a very small piece of security relevant software. |
21 |
|
22 |
I already did that: |
23 |
|
24 |
> If I use the appropriate |
25 |
> "enable libcap" flag, and libcap is not there, or it's broken, or |
26 |
> whatever, I don't want to get a build that's now insecure. I want the |
27 |
> build to abort with a big, fat error. |
28 |
|
29 |
Automagic deps are bad thing. I want to know what's going on, and need |
30 |
to have a way to make sure that something is indeed enabled/disabled. |
31 |
|
32 |
|
33 |
>> If you really don't like that, then you should probably make libcap |
34 |
>> mandatory. Assume it's there, and if it's not, the user should get |
35 |
>> compile errors. |
36 |
> |
37 |
> If you don't like my explanations, you are free to explain your reasons. |
38 |
|
39 |
I already did. The "you don't know what I intend" part is there to |
40 |
cover use cases you cannot foresee. Just because we can't think of them |
41 |
doesn't they don't exist. |
42 |
|
43 |
|
44 |
>> But as long as it's not mandatory, I have my reasons why I would want to |
45 |
>> disable it, just as I have my reasons why I would want to explicitly |
46 |
>> enable it. What if autodetection fails? If I use the appropriate |
47 |
>> "enable libcap" flag, and libcap is not there, or it's broken, or |
48 |
>> whatever, I don't want to get a build that's now insecure. I want the |
49 |
>> build to abort with a big, fat error. |
50 |
>> |
51 |
>> I think you're too used to binary distros and Solaris to appreciate the |
52 |
>> different requirements of source-based distros :-) |
53 |
> |
54 |
> Solaris is source based too..... |
55 |
|
56 |
I don't see how. Unless you mean that you can build from source on it. |
57 |
Which isn't the same thing. |
58 |
|
59 |
|
60 |
> The real difference to Linux is that Solaris uses a kernel that is |
61 |
> auto-adjusting to the hardware and usage because it is fully dynamically loaded |
62 |
> and because all parameters adjust themself to any needed value as long as there |
63 |
> is enough kernel memory. |
64 |
|
65 |
Gentoo isn't Solaris though. Automagic deps cause problems on user's |
66 |
systems here. |
67 |
|
68 |
|
69 |
> Linux has a large statically linked part and in theory you may be able to |
70 |
> compile it without capabilities, but then you would still need to have the |
71 |
> userland support-code available to permit userland programs to find out whether |
72 |
> the current kernel includes support or not. |
73 |
> |
74 |
> ...it is a matter of understaning security related constraints... |
75 |
|
76 |
Understanding the problems of automagic deps on source-based Linux is |
77 |
also important. |
78 |
|
79 |
Question though: if it's that important to have libcap, why do you |
80 |
provide a way to build the software without it? Why not just make it |
81 |
mandatory? |