Mailinglist Archive: opensuse-features (632 mails)
| < Previous | Next > |
[openFATE 307254] Use POSIX capabilities instead of suid
- From: fate_noreply@xxxxxxx
- Date: Thu, 4 Nov 2010 14:20:41 +0100 (CET)
- Message-id: <feature-307254-14@xxxxxxxxxxxxxx>
Feature changed by: Ludwig Nussel (lnussel)
Feature #307254, revision 14
Title: Use POSIX capabilities instead of suid
openSUSE-11.3: Rejected by Andreas Jaeger (a_jaeger)
reject date: 2010-11-04 13:34:16
reject reason: not done
Priority
Requester: Neutral
openSUSE-11.4: New
Priority
Requester: Neutral
Requested by: Pascal Bleser (pbleser)
Developer: (Novell)
Developer: (Novell)
+ Developer: (Novell)
Description:
Use POSIX file capabilities instead of suid processes and running e.g.
Apache as root:
* http://www.nuxified.org/blog/dear-distributors
(http://www.nuxified.org/blog/dear-distributors)
* http://www.friedhoff.org/posixfilecaps.html
(http://www.friedhoff.org/posixfilecaps.html)
* https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html
(https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html)
+ * https://bugzilla.redhat.com/show_bug.cgi?id=646440
+ * http://fedoraproject.org/wiki/Features/RemoveSETUID
+
Discussion:
#1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02)
Some tools like tar(1) do not even support recording Xattrs/ACLs (yet
people still use that for backups), and Filesystem Capabilities (not
POSIX capabilities) would not be recorded either. Such should really be
addresses first, more or less.
#2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1)
No question, it's a mid term objective. And not exactly trivial to
solve either.
I posted this feature rather as a reminder that that enhancement
exists, and that Fedora is trying to get it implemented. Just to keep
an eye on it ;)
#3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55)
I have enabled support for file capabilities in rpm using the %caps()
macro in factory
However having it enabled in rpm is not that useful as the actual
feature has to be activated manually by the user booting with
file_caps=1 , does anyone know the reason why it isnt enabled by
default ?
#4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23)
Before we can use fscaps in packages...
1) we need a mechanism that handles fscaps similar to /etc/permissions
2) we need an rpmlint check
3) binaries need to be audited whether they are suitable for fscaps
use, just like setuid binaries
#5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50)
Are we absolutely sure that 11.4 does support file capabilities by
default?
I wonder whether to implement a runtime switchable way between
traditional suid binaries and fscaps.
Also what about run time upgrades to the new distro? In that case the
old kernel without fscaps is running but we would install binaries that
rely on fscaps. Ie the system wouldn't work properly until reboot.
#6: Andreas Jaeger (a_jaeger) (2010-11-04 13:35:21)
Seems to be the same idea that Fedora is doing now:
http://lwn.net/Articles/412237/
#7: Ludwig Nussel (lnussel) (2010-11-04 14:08:42) (reply to #6)
yes. my current plan is to not change attributes in the packages
though. Instead applying fscaps happens automatically via
/etc/permissions mechanism if the system supports it. That avoids the
problems Fedora sees atm with file systems that do not support fscaps.
See home:lnussel:fscaps for current state
--
openSUSE Feature:
https://features.opensuse.org/307254
Feature #307254, revision 14
Title: Use POSIX capabilities instead of suid
openSUSE-11.3: Rejected by Andreas Jaeger (a_jaeger)
reject date: 2010-11-04 13:34:16
reject reason: not done
Priority
Requester: Neutral
openSUSE-11.4: New
Priority
Requester: Neutral
Requested by: Pascal Bleser (pbleser)
Developer: (Novell)
Developer: (Novell)
+ Developer: (Novell)
Description:
Use POSIX file capabilities instead of suid processes and running e.g.
Apache as root:
* http://www.nuxified.org/blog/dear-distributors
(http://www.nuxified.org/blog/dear-distributors)
* http://www.friedhoff.org/posixfilecaps.html
(http://www.friedhoff.org/posixfilecaps.html)
* https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html
(https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html)
+ * https://bugzilla.redhat.com/show_bug.cgi?id=646440
+ * http://fedoraproject.org/wiki/Features/RemoveSETUID
+
Discussion:
#1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02)
Some tools like tar(1) do not even support recording Xattrs/ACLs (yet
people still use that for backups), and Filesystem Capabilities (not
POSIX capabilities) would not be recorded either. Such should really be
addresses first, more or less.
#2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1)
No question, it's a mid term objective. And not exactly trivial to
solve either.
I posted this feature rather as a reminder that that enhancement
exists, and that Fedora is trying to get it implemented. Just to keep
an eye on it ;)
#3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55)
I have enabled support for file capabilities in rpm using the %caps()
macro in factory
However having it enabled in rpm is not that useful as the actual
feature has to be activated manually by the user booting with
file_caps=1 , does anyone know the reason why it isnt enabled by
default ?
#4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23)
Before we can use fscaps in packages...
1) we need a mechanism that handles fscaps similar to /etc/permissions
2) we need an rpmlint check
3) binaries need to be audited whether they are suitable for fscaps
use, just like setuid binaries
#5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50)
Are we absolutely sure that 11.4 does support file capabilities by
default?
I wonder whether to implement a runtime switchable way between
traditional suid binaries and fscaps.
Also what about run time upgrades to the new distro? In that case the
old kernel without fscaps is running but we would install binaries that
rely on fscaps. Ie the system wouldn't work properly until reboot.
#6: Andreas Jaeger (a_jaeger) (2010-11-04 13:35:21)
Seems to be the same idea that Fedora is doing now:
http://lwn.net/Articles/412237/
#7: Ludwig Nussel (lnussel) (2010-11-04 14:08:42) (reply to #6)
yes. my current plan is to not change attributes in the packages
though. Instead applying fscaps happens automatically via
/etc/permissions mechanism if the system supports it. That avoids the
problems Fedora sees atm with file systems that do not support fscaps.
See home:lnussel:fscaps for current state
--
openSUSE Feature:
https://features.opensuse.org/307254
| < Previous | Next > |