| 1 |
On 30/04/13 11:50, Joerg Schilling wrote: |
| 2 |
> Nikos Chantziaras <realnc@×××××.com> wrote: |
| 3 |
> |
| 4 |
>>> Would you call someone who shoots himself into the foot "smart"? |
| 5 |
>>> |
| 6 |
>>> Recent Linux kernels support fcaps in the filesystems and "somebody" evil, who |
| 7 |
>>> knows what he does may even set up fcaps on executable files when the related |
| 8 |
>>> support-software is not installed, just because the unstable kernel interfaces |
| 9 |
>>> are accessible from libc. |
| 10 |
>>> |
| 11 |
>>> Do you like people to be able to open security holes? |
| 12 |
>> |
| 13 |
>> You don't know what my intentions are and why I want to disable libcap. |
| 14 |
>> I have my reasons. This happens because it is actually possible to |
| 15 |
>> disable it. |
| 16 |
> |
| 17 |
> I explained why not having libcap by default is a security risk. |
| 18 |
> |
| 19 |
> You would need to explain your reasons, I currently cannot see a valid |
| 20 |
> reason to exclude a very small piece of security relevant software. |
| 21 |
|
| 22 |
I already did that: |
| 23 |
|
| 24 |
> If I use the appropriate |
| 25 |
> "enable libcap" flag, and libcap is not there, or it's broken, or |
| 26 |
> whatever, I don't want to get a build that's now insecure. I want the |
| 27 |
> build to abort with a big, fat error. |
| 28 |
|
| 29 |
Automagic deps are bad thing. I want to know what's going on, and need |
| 30 |
to have a way to make sure that something is indeed enabled/disabled. |
| 31 |
|
| 32 |
|
| 33 |
>> If you really don't like that, then you should probably make libcap |
| 34 |
>> mandatory. Assume it's there, and if it's not, the user should get |
| 35 |
>> compile errors. |
| 36 |
> |
| 37 |
> If you don't like my explanations, you are free to explain your reasons. |
| 38 |
|
| 39 |
I already did. The "you don't know what I intend" part is there to |
| 40 |
cover use cases you cannot foresee. Just because we can't think of them |
| 41 |
doesn't they don't exist. |
| 42 |
|
| 43 |
|
| 44 |
>> But as long as it's not mandatory, I have my reasons why I would want to |
| 45 |
>> disable it, just as I have my reasons why I would want to explicitly |
| 46 |
>> enable it. What if autodetection fails? If I use the appropriate |
| 47 |
>> "enable libcap" flag, and libcap is not there, or it's broken, or |
| 48 |
>> whatever, I don't want to get a build that's now insecure. I want the |
| 49 |
>> build to abort with a big, fat error. |
| 50 |
>> |
| 51 |
>> I think you're too used to binary distros and Solaris to appreciate the |
| 52 |
>> different requirements of source-based distros :-) |
| 53 |
> |
| 54 |
> Solaris is source based too..... |
| 55 |
|
| 56 |
I don't see how. Unless you mean that you can build from source on it. |
| 57 |
Which isn't the same thing. |
| 58 |
|
| 59 |
|
| 60 |
> The real difference to Linux is that Solaris uses a kernel that is |
| 61 |
> auto-adjusting to the hardware and usage because it is fully dynamically loaded |
| 62 |
> and because all parameters adjust themself to any needed value as long as there |
| 63 |
> is enough kernel memory. |
| 64 |
|
| 65 |
Gentoo isn't Solaris though. Automagic deps cause problems on user's |
| 66 |
systems here. |
| 67 |
|
| 68 |
|
| 69 |
> Linux has a large statically linked part and in theory you may be able to |
| 70 |
> compile it without capabilities, but then you would still need to have the |
| 71 |
> userland support-code available to permit userland programs to find out whether |
| 72 |
> the current kernel includes support or not. |
| 73 |
> |
| 74 |
> ...it is a matter of understaning security related constraints... |
| 75 |
|
| 76 |
Understanding the problems of automagic deps on source-based Linux is |
| 77 |
also important. |
| 78 |
|
| 79 |
Question though: if it's that important to have libcap, why do you |
| 80 |
provide a way to build the software without it? Why not just make it |
| 81 |
mandatory? |
Archives