rpm: POSIX capabilities/ACLs?
Tomasz Pala
gotar at polanet.pl
Tue Feb 9 12:52:36 CET 2010
On Mon, Feb 08, 2010 at 22:24:30 +0100, Zbyniu Krzystolik wrote:
>> setcap cap_net_bind_service=ei =nc
>> execcap cap_net_bind_service=i su - gotar -c 'nc -l -p 34'
>
> Like this? :)
> http://zz.iapt.pl/bez_root.txt
Yes, you already gave me this link and that's how I started on caps :)
>> but this obviously requires tagging binaries. The problem is tracking
>> all the xattrs (caps and ACLs).
>
> Yep.
That's why I've asked about rpm - we could easilty extend SUIDs with
fP(+fE?) so that end user could make his choice using securebits.
http://lwn.net/Articles/280279/
http://lwn.net/Articles/368600/
In short: I'd like to disable entire SUID/SGID mechanism in my systems
(SECURE_NO_SETUID_FIXUP+SECURE_KEEP_CAPS or entire SECURE_NOROOT maybe).
--
Tomasz Pala <gotar at pld-linux.org>
More information about the pld-devel-en
mailing list