Feature changed by: Ludwig Nussel (lnussel) Feature #307254, revision 10 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Unconfirmed Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) Developer: (Novell) Developer: (Novell) Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? + #4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23) + Before we can use fscaps in packages... + 1) we need a mechanism that handles fscaps similar to /etc/permissions + 2) we need an rpmlint check + 3) binaries need to be audited whether they are suitable for fscaps + use, just like setuid binaries -- openSUSE Feature: https://features.opensuse.org/307254