rpm: POSIX capabilities/ACLs?
Jeff Johnson
n3npq at mac.com
Sun Feb 7 22:30:11 CET 2010
On Feb 6, 2010, at 11:56 AM, Tomasz Pala wrote:
> On Sat, Feb 06, 2010 at 12:04:07 +0100, Zbyniu Krzystolik wrote:
>
>>> Anyone knows if it is or is going to be possible in rpm to store xattrs?
>>
>> Not possible now.
>
> And how about The Other RPM? This is a must-be feature and sooner or
> later we must get rid of broken by design SUID/SGID...
>
You must mean rpm-5.0 as the "other rpm" ;-)
Yes. rpm.org has a defined tag for capabilities, and perhaps for
ACL's (of the linux persuasuoin, how to package ACl'l portably
for *BSD and MacOSX is a nastier but solvable issue).
When I looked at porting support for capabilities & ACL's, this
reasoning mad me reluctant:
There are > 300K files in a typical rpm distro.
Out of that 300K files, perhaps 100-500 files would
benefit (afaik) from adding support for capabilities/ACL's.
Adding an additional per-file tag to benefit 500 of 300,000
files, with the additional download bandwidth needed to
represent missing/unused info doesn't make much sense.
Making the tag "optional", present iff explicitly added,
while doable, creates a different sort of "missing" or "optional"
problem.
But if you want capabilities/ACL's ported to rpm-4.5, I can do that in
an afternoon if you wish.
>> My note may be interested for you (pl); libcap-ng utils can simplify it.
>> http://zz.iapt.pl/bez_root2.txt
>
> That's similar to thing I want to do. The difference is you drop
> capabilities, and I want to set some for regular users (either
> designated - for daemons having it's own files and secrets, or nobody
> for anything else, using start-stop-daemon --chuid). Like this:
>
> setcap cap_net_bind_service=ei =nc
> execcap cap_net_bind_service=i su - gotar -c 'nc -l -p 34'
>
> but this obviously requires tagging binaries. The problem is tracking
> all the xattrs (caps and ACLs).
>
Yes, tracking *all* the file paths is exactly the same as SElinux
xattr's. Note that SELinux currently doesn't trust its means to "track"
the xattrs across *all* file paths suufficiently that they have chosen
to "package" SELinuc modular policy with
Any SElinux attr that is installed is never removed.
Similar issues will be seen with capabilities/ACL's tracked across
*all* file paths in addition to the bloat I mentioned.
No matter what:
There's nothing stopping you from the applying capabilities/ACL's
in %post, and removing same (if necessary) in %postun and verifying
that indeed the correct capabilities/ACL's are applied using %verifyscript.
hth
73 de Jeff
More information about the pld-devel-en
mailing list