1 |
On 17-10-03 at 19:08, Stroller wrote: |
2 |
> Hello, |
3 |
> |
4 |
> On my Linode VM in /etc/portage/package.use I have: |
5 |
> |
6 |
> net-misc/iputils -caps -filecaps |
7 |
> |
8 |
> I have no recollection of setting these flags, but `genlop -iputils ` |
9 |
> gives an installation date 2 days after I signed up with Linode, which |
10 |
> tends to suggest I installed the package. Or perhaps it was part of |
11 |
> the original Linode Gentoo disk image, and I only updated iputils? |
12 |
> |
13 |
> The USE flag descriptions are meaningless to me and so I have no idea |
14 |
> why I might have set these flags, were it me who did so: |
15 |
> |
16 |
> caps - Use Linux capabilities library to control privilege |
17 |
> filecaps - Use Linux file capabilities to control privilege rather than set*id (this is orthogonal to USE=caps which uses capabilities at runtime e.g. lib cap) |
18 |
Capabilities are a method of providing programs with more or less |
19 |
specific "privileges" as an alternative to running the program as |
20 |
root/suid. The "caps" useflag controls these at runtime by allowing |
21 |
programs to drop capabilities that the program doesn't need so that if |
22 |
something happens it has the ability to break less things. The |
23 |
"filecaps" flag is the "equivalent" of the suid bit but for specific |
24 |
capabilities (so instead of providing ping with suid-root you can give |
25 |
it CAP_NET_RAW only). |
26 |
|
27 |
It is almost always better to enable both of these where possible since |
28 |
it helps decrease the attack surface for the programs in question. |
29 |
|
30 |
Read capabilities(7) for more information. |
31 |
|
32 |
-- |
33 |
Simon Thelen |