On Wed, 2008-10-29 at 17:02 -0400, Bill Nottingham wrote: > seth vidal (skvidal@xxxxxxxxxxxxxxxxx) said: > > > Are we ready to start considering moving away from SUID bits to > > > capabilities, in Fedora 11 maybe? > > > > How does that mesh with networked file systems (nfs, samba)? > > I don't have firsthand knowledge, but I would suspect 'badly'. > > Bill > Since the capabilities are stored in xattrs they will run into the same problems that SELinux does. Labeled NFS is working to address this by providing a per file attribute through NFSv4 for extra security information. Additionally you could try NFSv4 named attributes for capabilities but we have found that named attributes do not provide the semantics needed for our purposes and would require changes to the NFSv4 xattr handler to use a hardcoded attribute name. The possibility of multiple attributes being sent at the same time was initially raised by BSD's MAC framework so we will have to look into separating the security attribute into sections by some identifier (DOI maybe?). Dave -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
