rpm: POSIX capabilities/ACLs?

Tomasz Pala gotar at polanet.pl
Sat Feb 6 17:56:35 CET 2010

On Sat, Feb 06, 2010 at 12:04:07 +0100, Zbyniu Krzystolik wrote:

>> Anyone knows if it is or is going to be possible in rpm to store xattrs?
> Not possible now.

And how about The Other RPM? This is a must-be feature and sooner or
later we must get rid of broken by design SUID/SGID...

> My note may be interested for you (pl); libcap-ng utils can simplify it.
> http://zz.iapt.pl/bez_root2.txt

That's similar to thing I want to do. The difference is you drop
capabilities, and I want to set some for regular users (either
designated - for daemons having it's own files and secrets, or nobody
for anything else, using start-stop-daemon --chuid). Like this:

setcap cap_net_bind_service=ei =nc
execcap cap_net_bind_service=i su - gotar -c 'nc -l -p 34'

but this obviously requires tagging binaries. The problem is tracking
all the xattrs (caps and ACLs).

Especially if I need to restrict some accounts (i.e. give some
permissions to normal accounts) more, than hardening daemons...

Tomasz Pala <gotar at pld-linux.org>

More information about the pld-devel-en mailing list