-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Dan, Thanks for the suggestion - I like that way because it gives full control to the admin together with the responsibility and does not implicitly do unexpected things. It is also a clean approach both from user experience and packaging point of view, so I will go for that way. With best regards, b. On Sun, 2022-02-20 at 07:51 +0000, Dan Čermák wrote: > Hi Boian, > > On February 20, 2022 12:49:53 AM UTC, Boian Bonev <bbonev@xxxxxxxxxx> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > Hello, > > > > I have got a pull request [1] that implements installing iotop-c with the > > NET_ADMIN capability by default and I am trying to evaluate if that is OK > > or > > not. > > > > Currently iotop-c will only allow to be run as root. In case it is run as > > some > > other user, it will advise to use sudo, or alternatively add the NET_ADMIN > > capability to the binary: > > > > sudo setcap 'cap_net_admin+eip' <path-to>/iotop > > > > Obviously that will have to be redone after each update, adding some > > inconvenience for admins who decide to allow that for non-root users. > > This is not really an answer to the security question, but if that remains > unresolved, you could also introduce a sub package to iotop-c, that would > contain a transaction file trigger on the binary and add the capability. Thus > user would be able to opt into having iotop-c with the added capability even > after upgrades, as long as the sub package is installed. > > -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEumC8IPN+WURNbSUAE2VyCRPS8i0FAmIVGf0ACgkQE2VyCRPS 8i2DqBAAmmcZD3AxQg6h0U1Me0FjtNzNb2d4Rkb3WcOT5CRO4OKH3TIgtrppPm5E dAX3KoyO7gU4etQ0drYYOp8t1RfOlw/HkjKQh2efxMNx8SSsNi5YK7SM9jPFftiK 26bU97niLb1Pozh3T5hLcAl7GDRR30/OVR8ZjxF3aEOcgxRn0f2kDS7/jboGO3we r/bxg34f6Bg0vVN5tMvLbNbZzG60wfOWN9RHG9DEBms+dIy2f5i1BVsvWdUZ6bsM 3+yX/cuDZeUg4DwEIDtG955gjx9OfjvvvHt+uM5vCv1DSQjuLEzQ1HTHjIcJQzux NsgpMeHZ54DokGxvFXeqDXv+I+hA0t/jjPSaHlDTmzXVRrqEhi+k0FMMGPMCE8bK Br70cn0C07qKp2hCCAdDXbowVhGBF/5ZtirxJV/EWO5IauOjZCe09OAAUfXllgif 1CkEnSsT3aVHW5IIheHthRZev77SsDsmHzi3kFcmtn6PG1GYSfMGW2dRfftglHCy uyU73JpRKB+DJ9ngB44+RhnIarbRDV9V7T+5omJWfZ5V0smTN6l1fHntPW+kjykr PFk6YAlWKCIWEctwfF5JMdDERAl4908x19MeiGvtN8/aImizO6ssmebjQpqNvPFs NuUEVvTdZD2EBua+JJcNr0CVPIjnsPcuMuoc1YNtEIYmdht3DrM= =vTJr -----END PGP SIGNATURE----- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
