On Wed, 2009-11-04 at 20:42 +0530, Shridhar Daithankar wrote: > Hi, > > I was reading thr. /. commentary on the latest linux kernel bug, got drifted > into file system capabilities. and got this, (from > http://lwn.net/Articles/313838/) > > [root@presario shridhar]# ls -la /bin/ping > -rwsr-xr-x 1 root root 33360 2008-10-04 17:48 /bin/ping > [root@presario shridhar]# chmod u-s /bin/ping > [root@presario shridhar]# setcap cap_net_raw=ep /bin/ping > [root@presario shridhar]# ls -al /bin/ping > -rwxr-xr-x 1 root root 33360 2008-10-04 17:48 /bin/ping > [root@presario shridhar]# exit > shridhar@presario ~$ ping 192.168.1.5 > PING 192.168.1.5 (192.168.1.5) 56(84) bytes of data. > 64 bytes from 192.168.1.5: icmp_seq=1 ttl=64 time=0.219 ms > 64 bytes from 192.168.1.5: icmp_seq=2 ttl=64 time=0.354 ms > ^C > --- 192.168.1.5 ping statistics --- > 2 packets transmitted, 2 received, 0% packet loss, time 999ms > rtt min/avg/max/mdev = 0.219/0.286/0.354/0.069 ms > > so can this be done by default? thus reducing setuid usage? it should improve > security right? This can be done by default, but capabilities aren't preserved when making tarballs. Every capability has to be set from post_install/post_upgrade in such cases. Maybe this is something worth to implement though.
