On Wed, Oct 29, 2008 at 6:37 AM, Panu Matilainen <pmatilai@xxxxxxxxxxxxxxx> wrote: > > Hate to interrupt the tty1 vs tty7 debate but... > > We have kernel support for storing capabilities on filesystem since 2.6.24 > and recent libcap, both in F9 already. I just committed file capability > support to rpm.org HEAD, filling in the final(?) missing piece. Capability > support is not going to be in rpm 4.6.0 but no reason they can't be pulled > into 4.6.1 which is easily in F11 timeframe. > > Are we ready to start considering moving away from SUID bits to > capabilities, in Fedora 11 maybe? Note that from the desktop direction we've been moving the OS away from exec-based domain transitions to message passing (e.g. PolicyKit) for a variety of reasons. I think it might be worth considering introducing a rule actually in Fedora for "no new SUID/fcap binaries", or at least they would have to pass some sort of robust review process. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
