Re: RemoveSETUID feature (Was: Summary/Minutes from today's FESCo meeting (2010-10-26) NEW TIME!)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 28 Oct 2010, Jason L Tibbitts III wrote:

>>>>>> "JN" == Joe Nall <joe@xxxxxxxx> writes:
>
> JN> On Oct 28, 2010, at 5:08 PM, Richard W.M. Jones wrote:
>
>>> More to the point, I can easily see the setuid bit easily on a
>>> binary.
>>> How do I tell if these strange/hidden "capabilities" are
>>> present on a binary?  'ls' doesn't mention anything.
>
> JN> getcap
>
> Interesting.  That's in the libcap package, which is sort of oddly named
> because it includes executables.  And of course it's multilib, but the
> binaries are arch-specific which I believe is a multilib conflict.
> Probably needs the executables split out into a libcap-tools packages.
>
> I notice that rpm supports that %caps() directive in the %files list to
> specify capabilities.  I don't recall seeing that before; how long ago
> did rpm grow support for it?  It looks like it came in around rpm 4.7,
> so all supported Fedora releases have it.  However, I'm certain it's not
> in RHEL4 and I'm pretty sure it's not in RHEL5 either, so at least the
> EPEL folks will need to make a note of it.

Yup, rpm 4.7.0 was the first one to support file capabilities. It's 
use is tracked with rpmlib(FileCaps) dependency, making packages utilizing 
the feature uninstallable with any older rpm versions, and of course 
trying to build such packages on older versions will barf out with a 
errors.

It should be possible to have EPEL define a macro that turns %caps(foo) 
into an %attr() with SUID bit set, but blindly enabling SUID bits might 
not be such a hot idea...

 	- Panu -
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux