On Wed, Nov 4, 2009 at 3:15 PM, Jan de Groot <jan@xxxxxxxxxxxxxx> wrote: > On Wed, 2009-11-04 at 20:42 +0530, Shridhar Daithankar wrote: >> Hi, >> >> I was reading thr. /. commentary on the latest linux kernel bug, got drifted >> into file system capabilities. and got this, (from >> http://lwn.net/Articles/313838/) >> >> [root@presario shridhar]# ls -la /bin/ping >> -rwsr-xr-x 1 root root 33360 2008-10-04 17:48 /bin/ping >> [root@presario shridhar]# chmod u-s /bin/ping >> [root@presario shridhar]# setcap cap_net_raw=ep /bin/ping >> [root@presario shridhar]# ls -al /bin/ping >> -rwxr-xr-x 1 root root 33360 2008-10-04 17:48 /bin/ping >> [root@presario shridhar]# exit >> shridhar@presario ~$ ping 192.168.1.5 >> PING 192.168.1.5 (192.168.1.5) 56(84) bytes of data. >> 64 bytes from 192.168.1.5: icmp_seq=1 ttl=64 time=0.219 ms >> 64 bytes from 192.168.1.5: icmp_seq=2 ttl=64 time=0.354 ms >> ^C >> --- 192.168.1.5 ping statistics --- >> 2 packets transmitted, 2 received, 0% packet loss, time 999ms >> rtt min/avg/max/mdev = 0.219/0.286/0.354/0.069 ms >> >> so can this be done by default? thus reducing setuid usage? it should improve >> security right? > > This can be done by default, but capabilities aren't preserved when > making tarballs. Every capability has to be set from > post_install/post_upgrade in such cases. Maybe this is something worth > to implement though. Just in case someone knows, does star preserve capabilities, I'm under the impression it does a better job on ACLs and other file system flags than tar? /M -- Magnus Therning (OpenPGP: 0xAB4DFBA4) magnus@therning.org Jabber: magnus@therning.org http://therning.org/magnus identi.ca|twitter: magthe
