| 1 |
On 17-10-03 at 19:08, Stroller wrote: |
| 2 |
> Hello, |
| 3 |
> |
| 4 |
> On my Linode VM in /etc/portage/package.use I have: |
| 5 |
> |
| 6 |
> net-misc/iputils -caps -filecaps |
| 7 |
> |
| 8 |
> I have no recollection of setting these flags, but `genlop -iputils ` |
| 9 |
> gives an installation date 2 days after I signed up with Linode, which |
| 10 |
> tends to suggest I installed the package. Or perhaps it was part of |
| 11 |
> the original Linode Gentoo disk image, and I only updated iputils? |
| 12 |
> |
| 13 |
> The USE flag descriptions are meaningless to me and so I have no idea |
| 14 |
> why I might have set these flags, were it me who did so: |
| 15 |
> |
| 16 |
> caps - Use Linux capabilities library to control privilege |
| 17 |
> filecaps - Use Linux file capabilities to control privilege rather than set*id (this is orthogonal to USE=caps which uses capabilities at runtime e.g. lib cap) |
| 18 |
Capabilities are a method of providing programs with more or less |
| 19 |
specific "privileges" as an alternative to running the program as |
| 20 |
root/suid. The "caps" useflag controls these at runtime by allowing |
| 21 |
programs to drop capabilities that the program doesn't need so that if |
| 22 |
something happens it has the ability to break less things. The |
| 23 |
"filecaps" flag is the "equivalent" of the suid bit but for specific |
| 24 |
capabilities (so instead of providing ping with suid-root you can give |
| 25 |
it CAP_NET_RAW only). |
| 26 |
|
| 27 |
It is almost always better to enable both of these where possible since |
| 28 |
it helps decrease the attack surface for the programs in question. |
| 29 |
|
| 30 |
Read capabilities(7) for more information. |
| 31 |
|
| 32 |
-- |
| 33 |
Simon Thelen |
Archives