rpm: POSIX capabilities/ACLs?

Zbyniu Krzystolik zbyniu at geocarbon.pl
Mon Feb 8 22:24:30 CET 2010

Tomasz Pala napisał(a):
> On Sat, Feb 06, 2010 at 12:04:07 +0100, Zbyniu Krzystolik wrote:
> > My note may be interested for you (pl); libcap-ng utils can simplify it.
> > http://zz.iapt.pl/bez_root2.txt
> That's similar to thing I want to do. The difference is you drop
> capabilities, and I want to set some for regular users (either
> designated - for daemons having it's own files and secrets, or nobody
> for anything else, using start-stop-daemon --chuid). Like this:
> setcap cap_net_bind_service=ei =nc
> execcap cap_net_bind_service=i su - gotar -c 'nc -l -p 34'

Like this? :)

> but this obviously requires tagging binaries. The problem is tracking
> all the xattrs (caps and ACLs).


> Especially if I need to restrict some accounts (i.e. give some
> permissions to normal accounts) more, than hardening daemons...

I want it too. :)

%% Absolutely nothing we trust %%

More information about the pld-devel-en mailing list