On Thu, 2008-10-30 at 20:25 +0200, Panu Matilainen wrote: > On Wed, 29 Oct 2008, Steve Grubb wrote: > > > On Wednesday 29 October 2008 06:37:32 Panu Matilainen wrote: > >> We have kernel support for storing capabilities on filesystem since 2.6.24 > >> and recent libcap, both in F9 already. > > > > And we have also been busy updating everything else to support this: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=449984 > > Ah, thanks for the pointer. > > > > >> I just committed file capability support to rpm.org HEAD, filling in the > >> final(?) missing piece. Capability support is not going to be in rpm 4.6.0 > >> but no reason they can't be pulled into 4.6.1 which is easily in F11 > >> timeframe. > > > > We tried to support this in F-10 by having a test run with ping. We figured > > that is a simple well defined app that could be used as a test subject. We > > opened bz 455713 to document the change over. Turns out that people compile > > their own kernels and do not necessarily turn this on. So, what do we do in > > that case? > > People compiling their own kernels can hose their systems more > dramatically than this... > > > > >> Are we ready to start considering moving away from SUID bits to > >> capabilities, in Fedora 11 maybe? > > > > We tried and got turned back. How does rpm work on kernels that do not support > > file capabilities? I'd like to see us get past the initial objections so that > > we can start removing some of the setuid bits. > > Right now, installation of a package using capabilities will fail entirely > if kernel/filesystem doesn't support setting capabilities. Packages with > capabilities in them require rpmlib(FileCaps) feature, which rpm currently > provides if built with libcap support. It could (and probably should, > anyway) be made into a run-time tested feature, so that you'll get > something like this if running on kernel with no capability support: > > error: Failed dependencies: > rpmlib(FileCaps) <= 4.6.1-1 is needed by ... Except nothing really watches those rpmlib() deps much at all, does it? -sv -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
