pld rpm 5.4.17

Tomasz Pala gotar at polanet.pl
Thu Jan 12 22:23:22 CET 2017


On Thu, Jan 12, 2017 at 14:58:51 -0500, Jeffrey Johnson wrote:

> AFAIK there???s only a handful of files that benefit from capabilities (but I haven???t looked recently: for all I know

For the start - almost every SUID binary. Then - binaries that are
currently run with EUID==root only to provide CAP_NET_BIND_SERVICE.
While Linux capabilities are often referred as 'broken' (many of the
cases are covered only by CAP_SYS_ADMIN), the counterpart you've
mentioned, xattrs, are much more widely usable.

Some of the caps security (i.e. dropping unneeded ones) can be handled
by systemd units, but since they are in general upstream-provided, we
shouldn't mess with them here. This won't help for overrided units
anyway.

> FWIW: handling capabilities (and acls/xattrs) within %post/%preun/%verifyscript scriptlets isn???t
> all *THAT* ugly. JMHO, YMMV.

It doesn't need to be *THAT* ugly; it is 'so' ugly, that nobody uses them in such way.

-- 
Tomasz Pala <gotar at pld-linux.org>


More information about the pld-devel-en mailing list