rpm: POSIX capabilities/ACLs?
Tomasz Pala
gotar at polanet.pl
Sat Feb 6 17:56:35 CET 2010
On Sat, Feb 06, 2010 at 12:04:07 +0100, Zbyniu Krzystolik wrote:
>> Anyone knows if it is or is going to be possible in rpm to store xattrs?
>
> Not possible now.
And how about The Other RPM? This is a must-be feature and sooner or
later we must get rid of broken by design SUID/SGID...
> My note may be interested for you (pl); libcap-ng utils can simplify it.
> http://zz.iapt.pl/bez_root2.txt
That's similar to thing I want to do. The difference is you drop
capabilities, and I want to set some for regular users (either
designated - for daemons having it's own files and secrets, or nobody
for anything else, using start-stop-daemon --chuid). Like this:
setcap cap_net_bind_service=ei =nc
execcap cap_net_bind_service=i su - gotar -c 'nc -l -p 34'
but this obviously requires tagging binaries. The problem is tracking
all the xattrs (caps and ACLs).
Especially if I need to restrict some accounts (i.e. give some
permissions to normal accounts) more, than hardening daemons...
--
Tomasz Pala <gotar at pld-linux.org>
More information about the pld-devel-en
mailing list