On Sat, 2008-11-01 at 01:09 -0600, Dax Kelson wrote: > On Wed, 2008-10-29 at 15:02 -0400, Steve Grubb wrote: > > > We tried to support this in F-10 by having a test run with ping. We figured > > that is a simple well defined app that could be used as a test subject. We > > opened bz 455713 to document the change over. Turns out that people compile > > their own kernels and do not necessarily turn this on. So, what do we do in > > that case? > > I thought more about this. > > How about a check in rc.sysinit to see if the kernel supports > capabilities? > > If the check fails it could do either or both of the following: > > 1. Display and log nasty warning message > 2. Run the command: chmod u+s `cat /etc/posixcapbinaries` > > Doing 2. would be the "friendly" thing to give the user a non-broken > system. It does make it a bit more complicated because you'd want some > logic that if they booted back to a kernel with posix capabilities you > stripped the suid bits. Also, rpm verity will complain. Another idea. Leave all the binaries with SUID bit set, but have the /etc/fstab have 'nosuid' on all the filesystems. Again, have logic in rc.sysinit that detects posix capabilities status of the kernel and if it is missing, remounts the filesystems with suid support. For all mounted filesystems do mount -o remount,suid $filesystem done With this idea you don't have to maintain state, and rpm verify will always be happy. Dax Kelson Guru Labs -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
