[openFATE 307254] Use POSIX capabilities instead of suid
Feature added by: Pascal Bleser (pbleser) Feature #307254, revision 1 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Unconfirmed Priority Requester: Desirable Requested by: Pascal Bleser (pbleser) Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Jan Engelhardt (jengelh) Feature #307254, revision 3 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Unconfirmed Priority Requester: Desirable Requested by: Pascal Bleser (pbleser) Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) + Discussion: + #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) + Some tools like tar(1) do not even support recording Xattrs/ACLs (yet + people still use that for backups), and Filesystem Capabilities (not + POSIX capabilities) would not be recorded either. Such should really be + addresses first, more or less. -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Pascal Bleser (pbleser) Feature #307254, revision 4 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Unconfirmed Priority - Requester: Desirable + Requester: Neutral Requested by: Pascal Bleser (pbleser) Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Pascal Bleser (pbleser) Feature #307254, revision 5 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Unconfirmed Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. + #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) + No question, it's a mid term objective. And not exactly trivial to + solve either. + I posted this feature rather as a reminder that that enhancement + exists, and that Fedora is trying to get it implemented. Just to keep + an eye on it ;) -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Cristian Rodríguez (elvigia) Feature #307254, revision 8 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Unconfirmed Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) + Developer: (Novell) Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) + #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) + I have enabled support for file capabilities in rpm using the %caps() + macro in factory + + However having it enabled in rpm is not that useful as the actual + feature has to be activated manually by the user booting with + file_caps=1 , does anyone know the reason why it isnt enabled by + default ? + + -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Cristian Rodríguez (elvigia) Feature #307254, revision 9 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Unconfirmed Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) Developer: (Novell) + Developer: (Novell) Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Ludwig Nussel (lnussel) Feature #307254, revision 10 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Unconfirmed Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) Developer: (Novell) Developer: (Novell) Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? + #4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23) + Before we can use fscaps in packages... + 1) we need a mechanism that handles fscaps similar to /etc/permissions + 2) we need an rpmlint check + 3) binaries need to be audited whether they are suitable for fscaps + use, just like setuid binaries -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Ludwig Nussel (lnussel) Feature #307254, revision 11 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Unconfirmed Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) Developer: (Novell) Developer: (Novell) Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? #4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23) Before we can use fscaps in packages... 1) we need a mechanism that handles fscaps similar to /etc/permissions 2) we need an rpmlint check 3) binaries need to be audited whether they are suitable for fscaps use, just like setuid binaries + #5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50) + Are we absolutely sure that 11.4 does support file capabilities by + default? + I wonder whether to implement a runtime switchable way between + traditional suid binaries and fscaps. + Also what about run time upgrades to the new distro? In that case the + old kernel without fscaps is running but we would install binaries that + rely on fscaps. Ie the system wouldn't work properly until reboot. -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Andreas Jaeger (a_jaeger) Feature #307254, revision 12 Title: Use POSIX capabilities instead of suid - openSUSE-11.3: Unconfirmed + openSUSE-11.3: Rejected by Andreas Jaeger (a_jaeger) + reject date: 2010-11-04 13:34:16 + reject reason: not done Priority Requester: Neutral + openSUSE-11.4: New + Priority + Requester: Neutral Requested by: Pascal Bleser (pbleser) Developer: (Novell) Developer: (Novell) Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) - Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory - However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? - - #4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23) Before we can use fscaps in packages... 1) we need a mechanism that handles fscaps similar to /etc/permissions 2) we need an rpmlint check 3) binaries need to be audited whether they are suitable for fscaps use, just like setuid binaries #5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50) Are we absolutely sure that 11.4 does support file capabilities by default? I wonder whether to implement a runtime switchable way between traditional suid binaries and fscaps. Also what about run time upgrades to the new distro? In that case the old kernel without fscaps is running but we would install binaries that rely on fscaps. Ie the system wouldn't work properly until reboot. + #6: Andreas Jaeger (a_jaeger) (2010-11-04 13:35:21) + Seems to be the same idea that Fedora is doing now: + http://lwn.net/Articles/412237/ -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Ludwig Nussel (lnussel) Feature #307254, revision 13 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Rejected by Andreas Jaeger (a_jaeger) reject date: 2010-11-04 13:34:16 reject reason: not done Priority Requester: Neutral openSUSE-11.4: New Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) Developer: (Novell) Developer: (Novell) Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? #4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23) Before we can use fscaps in packages... 1) we need a mechanism that handles fscaps similar to /etc/permissions 2) we need an rpmlint check 3) binaries need to be audited whether they are suitable for fscaps use, just like setuid binaries #5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50) Are we absolutely sure that 11.4 does support file capabilities by default? I wonder whether to implement a runtime switchable way between traditional suid binaries and fscaps. Also what about run time upgrades to the new distro? In that case the old kernel without fscaps is running but we would install binaries that rely on fscaps. Ie the system wouldn't work properly until reboot. #6: Andreas Jaeger (a_jaeger) (2010-11-04 13:35:21) Seems to be the same idea that Fedora is doing now: http://lwn.net/Articles/412237/ + #7: Ludwig Nussel (lnussel) (2010-11-04 14:08:42) (reply to #6) + yes. my current plan is to not change attributes in the packages + though. Instead applying fscaps happens automatically via + /etc/permissions mechanism if the system supports it. That avoids the + problems Fedora sees atm with file systems that do not support fscaps. + See home:lnussel:fscaps for current state -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Ludwig Nussel (lnussel) Feature #307254, revision 14 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Rejected by Andreas Jaeger (a_jaeger) reject date: 2010-11-04 13:34:16 reject reason: not done Priority Requester: Neutral openSUSE-11.4: New Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) Developer: (Novell) Developer: (Novell) + Developer: (Novell) Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) + * https://bugzilla.redhat.com/show_bug.cgi?id=646440 + * http://fedoraproject.org/wiki/Features/RemoveSETUID + Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? #4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23) Before we can use fscaps in packages... 1) we need a mechanism that handles fscaps similar to /etc/permissions 2) we need an rpmlint check 3) binaries need to be audited whether they are suitable for fscaps use, just like setuid binaries #5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50) Are we absolutely sure that 11.4 does support file capabilities by default? I wonder whether to implement a runtime switchable way between traditional suid binaries and fscaps. Also what about run time upgrades to the new distro? In that case the old kernel without fscaps is running but we would install binaries that rely on fscaps. Ie the system wouldn't work properly until reboot. #6: Andreas Jaeger (a_jaeger) (2010-11-04 13:35:21) Seems to be the same idea that Fedora is doing now: http://lwn.net/Articles/412237/ #7: Ludwig Nussel (lnussel) (2010-11-04 14:08:42) (reply to #6) yes. my current plan is to not change attributes in the packages though. Instead applying fscaps happens automatically via /etc/permissions mechanism if the system supports it. That avoids the problems Fedora sees atm with file systems that do not support fscaps. See home:lnussel:fscaps for current state -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Cristian Rodríguez (elvigia) Feature #307254, revision 19 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Rejected by Andreas Jaeger (a_jaeger) reject date: 2010-11-04 13:34:16 reject reason: not done Priority Requester: Neutral openSUSE-11.4: New Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) Developer: (Novell) Developer: (Novell) Developer: (Novell) + Developer: (Novell) Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) * https://bugzilla.redhat.com/show_bug.cgi?id=646440 * http://fedoraproject.org/wiki/Features/RemoveSETUID Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? #4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23) Before we can use fscaps in packages... 1) we need a mechanism that handles fscaps similar to /etc/permissions 2) we need an rpmlint check 3) binaries need to be audited whether they are suitable for fscaps use, just like setuid binaries #5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50) Are we absolutely sure that 11.4 does support file capabilities by default? I wonder whether to implement a runtime switchable way between traditional suid binaries and fscaps. Also what about run time upgrades to the new distro? In that case the old kernel without fscaps is running but we would install binaries that rely on fscaps. Ie the system wouldn't work properly until reboot. #6: Andreas Jaeger (a_jaeger) (2010-11-04 13:35:21) Seems to be the same idea that Fedora is doing now: http://lwn.net/Articles/412237/ #7: Ludwig Nussel (lnussel) (2010-11-04 14:08:42) (reply to #6) yes. my current plan is to not change attributes in the packages though. Instead applying fscaps happens automatically via /etc/permissions mechanism if the system supports it. That avoids the problems Fedora sees atm with file systems that do not support fscaps. See home:lnussel:fscaps for current state -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Cristian Rodríguez (elvigia) Feature #307254, revision 20 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Rejected by Andreas Jaeger (a_jaeger) reject date: 2010-11-04 13:34:16 reject reason: not done Priority Requester: Neutral openSUSE-11.4: New Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) Developer: (Novell) Developer: (Novell) Developer: (Novell) Developer: (Novell) Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) * https://bugzilla.redhat.com/show_bug.cgi?id=646440 * http://fedoraproject.org/wiki/Features/RemoveSETUID + * http://people.redhat.com/sgrubb/libcap-ng/index.html + (http://people.redhat.com/sgrubb/libcap-ng/index.html) + * https://fedoraproject.org/wiki/Features/LowerProcessCapabilities + (https://fedoraproject.org/wiki/Features/LowerProcessCapabilities) Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? #4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23) Before we can use fscaps in packages... 1) we need a mechanism that handles fscaps similar to /etc/permissions 2) we need an rpmlint check 3) binaries need to be audited whether they are suitable for fscaps use, just like setuid binaries #5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50) Are we absolutely sure that 11.4 does support file capabilities by default? I wonder whether to implement a runtime switchable way between traditional suid binaries and fscaps. Also what about run time upgrades to the new distro? In that case the old kernel without fscaps is running but we would install binaries that rely on fscaps. Ie the system wouldn't work properly until reboot. #6: Andreas Jaeger (a_jaeger) (2010-11-04 13:35:21) Seems to be the same idea that Fedora is doing now: http://lwn.net/Articles/412237/ #7: Ludwig Nussel (lnussel) (2010-11-04 14:08:42) (reply to #6) yes. my current plan is to not change attributes in the packages though. Instead applying fscaps happens automatically via /etc/permissions mechanism if the system supports it. That avoids the problems Fedora sees atm with file systems that do not support fscaps. See home:lnussel:fscaps for current state -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Cristian Rodríguez (elvigia) Feature #307254, revision 21 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Rejected by Andreas Jaeger (a_jaeger) reject date: 2010-11-04 13:34:16 reject reason: not done Priority Requester: Neutral openSUSE-11.4: New Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) Developer: (Novell) Developer: (Novell) Developer: (Novell) Developer: (Novell) Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) * https://bugzilla.redhat.com/show_bug.cgi?id=646440 * http://fedoraproject.org/wiki/Features/RemoveSETUID * http://people.redhat.com/sgrubb/libcap-ng/index.html (http://people.redhat.com/sgrubb/libcap-ng/index.html) * https://fedoraproject.org/wiki/Features/LowerProcessCapabilities (https://fedoraproject.org/wiki/Features/LowerProcessCapabilities) Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? #4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23) Before we can use fscaps in packages... 1) we need a mechanism that handles fscaps similar to /etc/permissions 2) we need an rpmlint check 3) binaries need to be audited whether they are suitable for fscaps use, just like setuid binaries #5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50) Are we absolutely sure that 11.4 does support file capabilities by default? I wonder whether to implement a runtime switchable way between traditional suid binaries and fscaps. Also what about run time upgrades to the new distro? In that case the old kernel without fscaps is running but we would install binaries that rely on fscaps. Ie the system wouldn't work properly until reboot. + #8: Cristian Rodríguez (elvigia) (2010-11-05 01:53:36) (reply to #5) + It is disabled by default.. have to boot with file_caps=1 .. does + anyone know why is that ? + #6: Andreas Jaeger (a_jaeger) (2010-11-04 13:35:21) Seems to be the same idea that Fedora is doing now: http://lwn.net/Articles/412237/ #7: Ludwig Nussel (lnussel) (2010-11-04 14:08:42) (reply to #6) yes. my current plan is to not change attributes in the packages though. Instead applying fscaps happens automatically via /etc/permissions mechanism if the system supports it. That avoids the problems Fedora sees atm with file systems that do not support fscaps. See home:lnussel:fscaps for current state -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Sławomir Lach (Lachu) Feature #307254, revision 24 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Rejected by Andreas Jaeger (a_jaeger) reject date: 2010-11-04 13:34:16 reject reason: not done Priority Requester: Neutral openSUSE-11.4: New Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) Developer: (Novell) Developer: (Novell) Developer: (Novell) Developer: (Novell) Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) * https://bugzilla.redhat.com/show_bug.cgi?id=646440 * http://fedoraproject.org/wiki/Features/RemoveSETUID * http://people.redhat.com/sgrubb/libcap-ng/index.html (http://people.redhat.com/sgrubb/libcap-ng/index.html) * https://fedoraproject.org/wiki/Features/LowerProcessCapabilities (https://fedoraproject.org/wiki/Features/LowerProcessCapabilities) Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? #4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23) Before we can use fscaps in packages... 1) we need a mechanism that handles fscaps similar to /etc/permissions 2) we need an rpmlint check 3) binaries need to be audited whether they are suitable for fscaps use, just like setuid binaries #5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50) Are we absolutely sure that 11.4 does support file capabilities by default? I wonder whether to implement a runtime switchable way between traditional suid binaries and fscaps. Also what about run time upgrades to the new distro? In that case the old kernel without fscaps is running but we would install binaries that rely on fscaps. Ie the system wouldn't work properly until reboot. #8: Cristian Rodríguez (elvigia) (2010-11-05 01:53:36) (reply to #5) It is disabled by default.. have to boot with file_caps=1 .. does anyone know why is that ? #6: Andreas Jaeger (a_jaeger) (2010-11-04 13:35:21) Seems to be the same idea that Fedora is doing now: http://lwn.net/Articles/412237/ #7: Ludwig Nussel (lnussel) (2010-11-04 14:08:42) (reply to #6) yes. my current plan is to not change attributes in the packages though. Instead applying fscaps happens automatically via /etc/permissions mechanism if the system supports it. That avoids the problems Fedora sees atm with file systems that do not support fscaps. See home:lnussel:fscaps for current state + #9: Sławomir Lach (lachu) (2010-11-07 10:17:22) + I doubt Posix Capabilities is more secure. Imagine, that program still + is runned on user privileges + some capabilties. User can debug + program, changing memory of it, etc. -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Sławomir Lach (Lachu) Feature #307254, revision 25 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Rejected by Andreas Jaeger (a_jaeger) reject date: 2010-11-04 13:34:16 reject reason: not done Priority Requester: Neutral openSUSE-11.4: New Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) Developer: (Novell) Developer: (Novell) Developer: (Novell) Developer: (Novell) Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) * https://bugzilla.redhat.com/show_bug.cgi?id=646440 * http://fedoraproject.org/wiki/Features/RemoveSETUID * http://people.redhat.com/sgrubb/libcap-ng/index.html (http://people.redhat.com/sgrubb/libcap-ng/index.html) * https://fedoraproject.org/wiki/Features/LowerProcessCapabilities (https://fedoraproject.org/wiki/Features/LowerProcessCapabilities) Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? #4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23) Before we can use fscaps in packages... 1) we need a mechanism that handles fscaps similar to /etc/permissions 2) we need an rpmlint check 3) binaries need to be audited whether they are suitable for fscaps use, just like setuid binaries #5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50) Are we absolutely sure that 11.4 does support file capabilities by default? I wonder whether to implement a runtime switchable way between traditional suid binaries and fscaps. Also what about run time upgrades to the new distro? In that case the old kernel without fscaps is running but we would install binaries that rely on fscaps. Ie the system wouldn't work properly until reboot. #8: Cristian Rodríguez (elvigia) (2010-11-05 01:53:36) (reply to #5) It is disabled by default.. have to boot with file_caps=1 .. does anyone know why is that ? #6: Andreas Jaeger (a_jaeger) (2010-11-04 13:35:21) Seems to be the same idea that Fedora is doing now: http://lwn.net/Articles/412237/ #7: Ludwig Nussel (lnussel) (2010-11-04 14:08:42) (reply to #6) yes. my current plan is to not change attributes in the packages though. Instead applying fscaps happens automatically via /etc/permissions mechanism if the system supports it. That avoids the problems Fedora sees atm with file systems that do not support fscaps. See home:lnussel:fscaps for current state #9: Sławomir Lach (lachu) (2010-11-07 10:17:22) I doubt Posix Capabilities is more secure. Imagine, that program still is runned on user privileges + some capabilties. User can debug program, changing memory of it, etc. + #10: Sławomir Lach (lachu) (2010-11-07 10:53:15) + Maybe PolicyKit team will add support of PCaps to PKexec? In this case + any process can run process with some capabilities, but also in + different process group. -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Ludwig Nussel (lnussel) Feature #307254, revision 26 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Rejected by Andreas Jaeger (a_jaeger) reject date: 2010-11-04 13:34:16 reject reason: not done Priority Requester: Neutral openSUSE-11.4: New Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) Developer: (Novell) Developer: Cristian Rodríguez (elvigia) Developer: Cristian Rodríguez (elvigia) Developer: Cristian Rodríguez (elvigia) Partner organization: openSUSE.org Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) * https://bugzilla.redhat.com/show_bug.cgi?id=646440 * http://fedoraproject.org/wiki/Features/RemoveSETUID * http://people.redhat.com/sgrubb/libcap-ng/index.html (http://people.redhat.com/sgrubb/libcap-ng/index.html) * https://fedoraproject.org/wiki/Features/LowerProcessCapabilities (https://fedoraproject.org/wiki/Features/LowerProcessCapabilities) Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? #4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23) Before we can use fscaps in packages... 1) we need a mechanism that handles fscaps similar to /etc/permissions 2) we need an rpmlint check 3) binaries need to be audited whether they are suitable for fscaps use, just like setuid binaries #5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50) Are we absolutely sure that 11.4 does support file capabilities by default? I wonder whether to implement a runtime switchable way between traditional suid binaries and fscaps. Also what about run time upgrades to the new distro? In that case the old kernel without fscaps is running but we would install binaries that rely on fscaps. Ie the system wouldn't work properly until reboot. #8: Cristian Rodríguez (elvigia) (2010-11-05 01:53:36) (reply to #5) It is disabled by default.. have to boot with file_caps=1 .. does anyone know why is that ? #6: Andreas Jaeger (a_jaeger) (2010-11-04 13:35:21) Seems to be the same idea that Fedora is doing now: http://lwn.net/Articles/412237/ #7: Ludwig Nussel (lnussel) (2010-11-04 14:08:42) (reply to #6) yes. my current plan is to not change attributes in the packages though. Instead applying fscaps happens automatically via /etc/permissions mechanism if the system supports it. That avoids the problems Fedora sees atm with file systems that do not support fscaps. See home:lnussel:fscaps for current state #9: Sławomir Lach (lachu) (2010-11-07 10:17:22) I doubt Posix Capabilities is more secure. Imagine, that program still is runned on user privileges + some capabilties. User can debug program, changing memory of it, etc. #10: Sławomir Lach (lachu) (2010-11-07 10:53:15) Maybe PolicyKit team will add support of PCaps to PKexec? In this case any process can run process with some capabilities, but also in different process group. + #11: Ludwig Nussel (lnussel) (2010-11-24 13:29:38) + fscaps support is now implemented in the permissions package. See ping + in package iputils as example. -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Andreas Jaeger (a_jaeger) Feature #307254, revision 27 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Rejected by Andreas Jaeger (a_jaeger) reject date: 2010-11-04 13:34:16 reject reason: not done Priority Requester: Neutral - openSUSE-11.4: New + openSUSE-11.4: Evaluation by engineering manager Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) + Product Manager: openfate dummy manager (openfate-manager-dummy) + Project Manager: openfate dummy manager (openfate-manager-dummy) + Engineering Manager: openfate dummy manager (openfate-manager-dummy) Developer: (Novell) Developer: Cristian Rodríguez (elvigia) Developer: Cristian Rodríguez (elvigia) Developer: Cristian Rodríguez (elvigia) Partner organization: openSUSE.org Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) * https://bugzilla.redhat.com/show_bug.cgi?id=646440 * http://fedoraproject.org/wiki/Features/RemoveSETUID * http://people.redhat.com/sgrubb/libcap-ng/index.html (http://people.redhat.com/sgrubb/libcap-ng/index.html) * https://fedoraproject.org/wiki/Features/LowerProcessCapabilities (https://fedoraproject.org/wiki/Features/LowerProcessCapabilities) Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? #4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23) Before we can use fscaps in packages... 1) we need a mechanism that handles fscaps similar to /etc/permissions 2) we need an rpmlint check 3) binaries need to be audited whether they are suitable for fscaps use, just like setuid binaries #5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50) Are we absolutely sure that 11.4 does support file capabilities by default? I wonder whether to implement a runtime switchable way between traditional suid binaries and fscaps. Also what about run time upgrades to the new distro? In that case the old kernel without fscaps is running but we would install binaries that rely on fscaps. Ie the system wouldn't work properly until reboot. #8: Cristian Rodríguez (elvigia) (2010-11-05 01:53:36) (reply to #5) It is disabled by default.. have to boot with file_caps=1 .. does anyone know why is that ? #6: Andreas Jaeger (a_jaeger) (2010-11-04 13:35:21) Seems to be the same idea that Fedora is doing now: http://lwn.net/Articles/412237/ #7: Ludwig Nussel (lnussel) (2010-11-04 14:08:42) (reply to #6) yes. my current plan is to not change attributes in the packages though. Instead applying fscaps happens automatically via /etc/permissions mechanism if the system supports it. That avoids the problems Fedora sees atm with file systems that do not support fscaps. See home:lnussel:fscaps for current state #9: Sławomir Lach (lachu) (2010-11-07 10:17:22) I doubt Posix Capabilities is more secure. Imagine, that program still is runned on user privileges + some capabilties. User can debug program, changing memory of it, etc. #10: Sławomir Lach (lachu) (2010-11-07 10:53:15) Maybe PolicyKit team will add support of PCaps to PKexec? In this case any process can run process with some capabilities, but also in different process group. #11: Ludwig Nussel (lnussel) (2010-11-24 13:29:38) fscaps support is now implemented in the permissions package. See ping in package iputils as example. -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Ludwig Nussel (lnussel) Feature #307254, revision 28 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Rejected by Andreas Jaeger (a_jaeger) reject date: 2010-11-04 13:34:16 reject reason: not done Priority Requester: Neutral openSUSE-11.4: Evaluation by engineering manager Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) Product Manager: openfate dummy manager (openfate-manager-dummy) Project Manager: openfate dummy manager (openfate-manager-dummy) Engineering Manager: openfate dummy manager (openfate-manager-dummy) Developer: (Novell) Developer: Cristian Rodríguez (elvigia) Developer: Cristian Rodríguez (elvigia) Developer: Cristian Rodríguez (elvigia) Partner organization: openSUSE.org Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) * https://bugzilla.redhat.com/show_bug.cgi?id=646440 + (https://bugzilla.redhat.com/show_bug.cgi?id=646440) * http://fedoraproject.org/wiki/Features/RemoveSETUID + (http://fedoraproject.org/wiki/Features/RemoveSETUID) * http://people.redhat.com/sgrubb/libcap-ng/index.html (http://people.redhat.com/sgrubb/libcap-ng/index.html) * https://fedoraproject.org/wiki/Features/LowerProcessCapabilities (https://fedoraproject.org/wiki/Features/LowerProcessCapabilities) - + Status: fscaps support is available at packaging level via + /etc/permissions. See iputils as example how to do it. Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? #4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23) Before we can use fscaps in packages... 1) we need a mechanism that handles fscaps similar to /etc/permissions 2) we need an rpmlint check 3) binaries need to be audited whether they are suitable for fscaps use, just like setuid binaries #5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50) Are we absolutely sure that 11.4 does support file capabilities by default? I wonder whether to implement a runtime switchable way between traditional suid binaries and fscaps. Also what about run time upgrades to the new distro? In that case the old kernel without fscaps is running but we would install binaries that rely on fscaps. Ie the system wouldn't work properly until reboot. #8: Cristian Rodríguez (elvigia) (2010-11-05 01:53:36) (reply to #5) It is disabled by default.. have to boot with file_caps=1 .. does anyone know why is that ? #6: Andreas Jaeger (a_jaeger) (2010-11-04 13:35:21) Seems to be the same idea that Fedora is doing now: http://lwn.net/Articles/412237/ #7: Ludwig Nussel (lnussel) (2010-11-04 14:08:42) (reply to #6) yes. my current plan is to not change attributes in the packages though. Instead applying fscaps happens automatically via /etc/permissions mechanism if the system supports it. That avoids the problems Fedora sees atm with file systems that do not support fscaps. See home:lnussel:fscaps for current state #9: Sławomir Lach (lachu) (2010-11-07 10:17:22) I doubt Posix Capabilities is more secure. Imagine, that program still is runned on user privileges + some capabilties. User can debug program, changing memory of it, etc. #10: Sławomir Lach (lachu) (2010-11-07 10:53:15) Maybe PolicyKit team will add support of PCaps to PKexec? In this case any process can run process with some capabilities, but also in different process group. #11: Ludwig Nussel (lnussel) (2010-11-24 13:29:38) fscaps support is now implemented in the permissions package. See ping in package iputils as example. -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Robert Davies (robopensuse) Feature #307254, revision 30 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Rejected by Andreas Jaeger (a_jaeger) reject date: 2010-11-04 13:34:16 reject reason: not done Priority Requester: Neutral openSUSE-11.4: Evaluation by engineering manager Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) Developer: (Novell) Developer: Cristian Rodríguez (elvigia) Developer: Cristian Rodríguez (elvigia) Developer: Cristian Rodríguez (elvigia) Partner organization: openSUSE.org Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) * https://bugzilla.redhat.com/show_bug.cgi?id=646440 (https://bugzilla.redhat.com/show_bug.cgi?id=646440) * http://fedoraproject.org/wiki/Features/RemoveSETUID (http://fedoraproject.org/wiki/Features/RemoveSETUID) * http://people.redhat.com/sgrubb/libcap-ng/index.html (http://people.redhat.com/sgrubb/libcap-ng/index.html) * https://fedoraproject.org/wiki/Features/LowerProcessCapabilities (https://fedoraproject.org/wiki/Features/LowerProcessCapabilities) Status: fscaps support is available at packaging level via /etc/permissions. See iputils as example how to do it. Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? #4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23) Before we can use fscaps in packages... 1) we need a mechanism that handles fscaps similar to /etc/permissions 2) we need an rpmlint check 3) binaries need to be audited whether they are suitable for fscaps use, just like setuid binaries #5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50) Are we absolutely sure that 11.4 does support file capabilities by default? I wonder whether to implement a runtime switchable way between traditional suid binaries and fscaps. Also what about run time upgrades to the new distro? In that case the old kernel without fscaps is running but we would install binaries that rely on fscaps. Ie the system wouldn't work properly until reboot. #8: Cristian Rodríguez (elvigia) (2010-11-05 01:53:36) (reply to #5) It is disabled by default.. have to boot with file_caps=1 .. does anyone know why is that ? #6: Andreas Jaeger (a_jaeger) (2010-11-04 13:35:21) Seems to be the same idea that Fedora is doing now: http://lwn.net/Articles/412237/ #7: Ludwig Nussel (lnussel) (2010-11-04 14:08:42) (reply to #6) yes. my current plan is to not change attributes in the packages though. Instead applying fscaps happens automatically via /etc/permissions mechanism if the system supports it. That avoids the problems Fedora sees atm with file systems that do not support fscaps. See home:lnussel:fscaps for current state #9: Sławomir Lach (lachu) (2010-11-07 10:17:22) I doubt Posix Capabilities is more secure. Imagine, that program still is runned on user privileges + some capabilties. User can debug program, changing memory of it, etc. + #12: Robert Davies (robopensuse) (2011-02-04 14:44:54) (reply to #9) + The escalation of privilege is still controlled in way a suid root + program would be, they have however a finer grained "just enough" level + of privilege rather than the whole shebang. Suppose you find a way to + overwrite stack in ping(1), if that does not permit you a root shell, + but simply a privileged socket it is much harder to exploit the flaw in + the program. + You are right, capabilities should not be given to user owned + programs. #10: Sławomir Lach (lachu) (2010-11-07 10:53:15) Maybe PolicyKit team will add support of PCaps to PKexec? In this case any process can run process with some capabilities, but also in different process group. #11: Ludwig Nussel (lnussel) (2010-11-24 13:29:38) fscaps support is now implemented in the permissions package. See ping in package iputils as example. -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Konstantinos Koudaras (warlordfff) Feature #307254, revision 31 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Rejected by Andreas Jaeger (a_jaeger) reject date: 2010-11-04 13:34:16 reject reason: not done Priority Requester: Neutral openSUSE-11.4: Evaluation by engineering manager Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) Developer: (Novell) Developer: Cristian Rodríguez (elvigia) Developer: Cristian Rodríguez (elvigia) Developer: Cristian Rodríguez (elvigia) Partner organization: openSUSE.org Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) * https://bugzilla.redhat.com/show_bug.cgi?id=646440 (https://bugzilla.redhat.com/show_bug.cgi?id=646440) * http://fedoraproject.org/wiki/Features/RemoveSETUID (http://fedoraproject.org/wiki/Features/RemoveSETUID) * http://people.redhat.com/sgrubb/libcap-ng/index.html (http://people.redhat.com/sgrubb/libcap-ng/index.html) * https://fedoraproject.org/wiki/Features/LowerProcessCapabilities (https://fedoraproject.org/wiki/Features/LowerProcessCapabilities) Status: fscaps support is available at packaging level via /etc/permissions. See iputils as example how to do it. Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? #4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23) Before we can use fscaps in packages... 1) we need a mechanism that handles fscaps similar to /etc/permissions 2) we need an rpmlint check 3) binaries need to be audited whether they are suitable for fscaps use, just like setuid binaries #5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50) Are we absolutely sure that 11.4 does support file capabilities by default? I wonder whether to implement a runtime switchable way between traditional suid binaries and fscaps. Also what about run time upgrades to the new distro? In that case the old kernel without fscaps is running but we would install binaries that rely on fscaps. Ie the system wouldn't work properly until reboot. #8: Cristian Rodríguez (elvigia) (2010-11-05 01:53:36) (reply to #5) It is disabled by default.. have to boot with file_caps=1 .. does anyone know why is that ? #6: Andreas Jaeger (a_jaeger) (2010-11-04 13:35:21) Seems to be the same idea that Fedora is doing now: http://lwn.net/Articles/412237/ #7: Ludwig Nussel (lnussel) (2010-11-04 14:08:42) (reply to #6) yes. my current plan is to not change attributes in the packages though. Instead applying fscaps happens automatically via /etc/permissions mechanism if the system supports it. That avoids the problems Fedora sees atm with file systems that do not support fscaps. See home:lnussel:fscaps for current state #9: Sławomir Lach (lachu) (2010-11-07 10:17:22) I doubt Posix Capabilities is more secure. Imagine, that program still is runned on user privileges + some capabilties. User can debug program, changing memory of it, etc. #12: Robert Davies (robopensuse) (2011-02-04 14:44:54) (reply to #9) The escalation of privilege is still controlled in way a suid root program would be, they have however a finer grained "just enough" level of privilege rather than the whole shebang. Suppose you find a way to overwrite stack in ping(1), if that does not permit you a root shell, but simply a privileged socket it is much harder to exploit the flaw in the program. You are right, capabilities should not be given to user owned programs. #10: Sławomir Lach (lachu) (2010-11-07 10:53:15) Maybe PolicyKit team will add support of PCaps to PKexec? In this case any process can run process with some capabilities, but also in different process group. #11: Ludwig Nussel (lnussel) (2010-11-24 13:29:38) fscaps support is now implemented in the permissions package. See ping in package iputils as example. + #13: Konstantinos Koudaras (warlordfff) (2011-02-22 22:03:25) + I proposed to look at this idea into GSOC ideas wiki page. We are + looking for mentors so if anyone wants to help, please add your name in + the wiki page (http://en.opensuse.org/openSUSE:GSOC_2011_Ideas ) -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Ludwig Nussel (lnussel) Feature #307254, revision 32 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Rejected by Andreas Jaeger (a_jaeger) reject date: 2010-11-04 13:34:16 reject reason: not done Priority Requester: Neutral openSUSE-11.4: Evaluation by engineering manager Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) Developer: Cristian Rodríguez (elvigia) Developer: Cristian Rodríguez (elvigia) Developer: Cristian Rodríguez (elvigia) Partner organization: openSUSE.org Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) * https://bugzilla.redhat.com/show_bug.cgi?id=646440 (https://bugzilla.redhat.com/show_bug.cgi?id=646440) * http://fedoraproject.org/wiki/Features/RemoveSETUID (http://fedoraproject.org/wiki/Features/RemoveSETUID) * http://people.redhat.com/sgrubb/libcap-ng/index.html (http://people.redhat.com/sgrubb/libcap-ng/index.html) * https://fedoraproject.org/wiki/Features/LowerProcessCapabilities (https://fedoraproject.org/wiki/Features/LowerProcessCapabilities) Status: fscaps support is available at packaging level via /etc/permissions. See iputils as example how to do it. Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? #4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23) Before we can use fscaps in packages... 1) we need a mechanism that handles fscaps similar to /etc/permissions 2) we need an rpmlint check 3) binaries need to be audited whether they are suitable for fscaps use, just like setuid binaries #5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50) Are we absolutely sure that 11.4 does support file capabilities by default? I wonder whether to implement a runtime switchable way between traditional suid binaries and fscaps. Also what about run time upgrades to the new distro? In that case the old kernel without fscaps is running but we would install binaries that rely on fscaps. Ie the system wouldn't work properly until reboot. #8: Cristian Rodríguez (elvigia) (2010-11-05 01:53:36) (reply to #5) It is disabled by default.. have to boot with file_caps=1 .. does anyone know why is that ? #6: Andreas Jaeger (a_jaeger) (2010-11-04 13:35:21) Seems to be the same idea that Fedora is doing now: http://lwn.net/Articles/412237/ #7: Ludwig Nussel (lnussel) (2010-11-04 14:08:42) (reply to #6) yes. my current plan is to not change attributes in the packages though. Instead applying fscaps happens automatically via /etc/permissions mechanism if the system supports it. That avoids the problems Fedora sees atm with file systems that do not support fscaps. See home:lnussel:fscaps for current state #9: Sławomir Lach (lachu) (2010-11-07 10:17:22) I doubt Posix Capabilities is more secure. Imagine, that program still is runned on user privileges + some capabilties. User can debug program, changing memory of it, etc. #12: Robert Davies (robopensuse) (2011-02-04 14:44:54) (reply to #9) The escalation of privilege is still controlled in way a suid root program would be, they have however a finer grained "just enough" level of privilege rather than the whole shebang. Suppose you find a way to overwrite stack in ping(1), if that does not permit you a root shell, but simply a privileged socket it is much harder to exploit the flaw in the program. You are right, capabilities should not be given to user owned programs. #10: Sławomir Lach (lachu) (2010-11-07 10:53:15) Maybe PolicyKit team will add support of PCaps to PKexec? In this case any process can run process with some capabilities, but also in different process group. #11: Ludwig Nussel (lnussel) (2010-11-24 13:29:38) fscaps support is now implemented in the permissions package. See ping in package iputils as example. #13: Konstantinos Koudaras (warlordfff) (2011-02-22 22:03:25) I proposed to look at this idea into GSOC ideas wiki page. We are looking for mentors so if anyone wants to help, please add your name in the wiki page (http://en.opensuse.org/openSUSE:GSOC_2011_Ideas ) + #14: Ludwig Nussel (lnussel) (2011-11-07 10:49:20) + I had to disable fscaps support again as last minute change for 12.1 + since tar doesn't support fscaps but is used by kiwi to create images. + Resulting appliances therefore don't work. -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Cristian Morales Vega (RedDwarf) Feature #307254, revision 33 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Rejected by Andreas Jaeger (a_jaeger) reject date: 2010-11-04 13:34:16 reject reason: not done Priority Requester: Neutral openSUSE-11.4: Evaluation by engineering manager Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) Developer: Cristian Rodríguez (elvigia) Developer: Cristian Rodríguez (elvigia) Developer: Cristian Rodríguez (elvigia) Partner organization: openSUSE.org Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) * https://bugzilla.redhat.com/show_bug.cgi?id=646440 (https://bugzilla.redhat.com/show_bug.cgi?id=646440) * http://fedoraproject.org/wiki/Features/RemoveSETUID (http://fedoraproject.org/wiki/Features/RemoveSETUID) * http://people.redhat.com/sgrubb/libcap-ng/index.html (http://people.redhat.com/sgrubb/libcap-ng/index.html) * https://fedoraproject.org/wiki/Features/LowerProcessCapabilities (https://fedoraproject.org/wiki/Features/LowerProcessCapabilities) Status: fscaps support is available at packaging level via /etc/permissions. See iputils as example how to do it. Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? #4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23) Before we can use fscaps in packages... 1) we need a mechanism that handles fscaps similar to /etc/permissions 2) we need an rpmlint check 3) binaries need to be audited whether they are suitable for fscaps use, just like setuid binaries #5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50) Are we absolutely sure that 11.4 does support file capabilities by default? I wonder whether to implement a runtime switchable way between traditional suid binaries and fscaps. Also what about run time upgrades to the new distro? In that case the old kernel without fscaps is running but we would install binaries that rely on fscaps. Ie the system wouldn't work properly until reboot. #8: Cristian Rodríguez (elvigia) (2010-11-05 01:53:36) (reply to #5) It is disabled by default.. have to boot with file_caps=1 .. does anyone know why is that ? #6: Andreas Jaeger (a_jaeger) (2010-11-04 13:35:21) Seems to be the same idea that Fedora is doing now: http://lwn.net/Articles/412237/ #7: Ludwig Nussel (lnussel) (2010-11-04 14:08:42) (reply to #6) yes. my current plan is to not change attributes in the packages though. Instead applying fscaps happens automatically via /etc/permissions mechanism if the system supports it. That avoids the problems Fedora sees atm with file systems that do not support fscaps. See home:lnussel:fscaps for current state #9: Sławomir Lach (lachu) (2010-11-07 10:17:22) I doubt Posix Capabilities is more secure. Imagine, that program still is runned on user privileges + some capabilties. User can debug program, changing memory of it, etc. #12: Robert Davies (robopensuse) (2011-02-04 14:44:54) (reply to #9) The escalation of privilege is still controlled in way a suid root program would be, they have however a finer grained "just enough" level of privilege rather than the whole shebang. Suppose you find a way to overwrite stack in ping(1), if that does not permit you a root shell, but simply a privileged socket it is much harder to exploit the flaw in the program. You are right, capabilities should not be given to user owned programs. #10: Sławomir Lach (lachu) (2010-11-07 10:53:15) Maybe PolicyKit team will add support of PCaps to PKexec? In this case any process can run process with some capabilities, but also in different process group. #11: Ludwig Nussel (lnussel) (2010-11-24 13:29:38) fscaps support is now implemented in the permissions package. See ping in package iputils as example. #13: Konstantinos Koudaras (warlordfff) (2011-02-22 22:03:25) I proposed to look at this idea into GSOC ideas wiki page. We are looking for mentors so if anyone wants to help, please add your name in the wiki page (http://en.opensuse.org/openSUSE:GSOC_2011_Ideas ) #14: Ludwig Nussel (lnussel) (2011-11-07 10:49:20) I had to disable fscaps support again as last minute change for 12.1 since tar doesn't support fscaps but is used by kiwi to create images. Resulting appliances therefore don't work. + #15: Cristian Morales Vega (reddwarf) (2012-04-14 14:35:25) (reply to + #14) + What's the current state? -- openSUSE Feature: https://features.opensuse.org/307254
Feature changed by: Cristian Rodríguez (elvigia) Feature #307254, revision 34 Title: Use POSIX capabilities instead of suid openSUSE-11.3: Rejected by Andreas Jaeger (a_jaeger) reject date: 2010-11-04 13:34:16 reject reason: not done Priority Requester: Neutral openSUSE-11.4: Evaluation by engineering manager Priority Requester: Neutral Requested by: Pascal Bleser (pbleser) Developer: Cristian Rodríguez (elvigia) Developer: Cristian Rodríguez (elvigia) Developer: Cristian Rodríguez (elvigia) Partner organization: openSUSE.org Description: Use POSIX file capabilities instead of suid processes and running e.g. Apache as root: * http://www.nuxified.org/blog/dear-distributors (http://www.nuxified.org/blog/dear-distributors) * http://www.friedhoff.org/posixfilecaps.html (http://www.friedhoff.org/posixfilecaps.html) * https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html (https://www.redhat.com/archives/fedora-devel-list/2009-July/msg01568.html) * https://bugzilla.redhat.com/show_bug.cgi?id=646440 (https://bugzilla.redhat.com/show_bug.cgi?id=646440) * http://fedoraproject.org/wiki/Features/RemoveSETUID (http://fedoraproject.org/wiki/Features/RemoveSETUID) * http://people.redhat.com/sgrubb/libcap-ng/index.html (http://people.redhat.com/sgrubb/libcap-ng/index.html) * https://fedoraproject.org/wiki/Features/LowerProcessCapabilities (https://fedoraproject.org/wiki/Features/LowerProcessCapabilities) Status: fscaps support is available at packaging level via /etc/permissions. See iputils as example how to do it. Discussion: #1: Jan Engelhardt (jengelh) (2009-08-09 14:21:02) Some tools like tar(1) do not even support recording Xattrs/ACLs (yet people still use that for backups), and Filesystem Capabilities (not POSIX capabilities) would not be recorded either. Such should really be addresses first, more or less. #2: Pascal Bleser (pbleser) (2009-08-10 01:30:22) (reply to #1) No question, it's a mid term objective. And not exactly trivial to solve either. I posted this feature rather as a reminder that that enhancement exists, and that Fedora is trying to get it implemented. Just to keep an eye on it ;) #3: Cristian Rodríguez (elvigia) (2010-10-05 20:45:55) I have enabled support for file capabilities in rpm using the %caps() macro in factory However having it enabled in rpm is not that useful as the actual feature has to be activated manually by the user booting with file_caps=1 , does anyone know the reason why it isnt enabled by default ? #4: Ludwig Nussel (lnussel) (2010-10-11 09:59:23) Before we can use fscaps in packages... 1) we need a mechanism that handles fscaps similar to /etc/permissions 2) we need an rpmlint check 3) binaries need to be audited whether they are suitable for fscaps use, just like setuid binaries #5: Ludwig Nussel (lnussel) (2010-10-28 13:20:50) Are we absolutely sure that 11.4 does support file capabilities by default? I wonder whether to implement a runtime switchable way between traditional suid binaries and fscaps. Also what about run time upgrades to the new distro? In that case the old kernel without fscaps is running but we would install binaries that rely on fscaps. Ie the system wouldn't work properly until reboot. #8: Cristian Rodríguez (elvigia) (2010-11-05 01:53:36) (reply to #5) It is disabled by default.. have to boot with file_caps=1 .. does anyone know why is that ? #6: Andreas Jaeger (a_jaeger) (2010-11-04 13:35:21) Seems to be the same idea that Fedora is doing now: http://lwn.net/Articles/412237/ #7: Ludwig Nussel (lnussel) (2010-11-04 14:08:42) (reply to #6) yes. my current plan is to not change attributes in the packages though. Instead applying fscaps happens automatically via /etc/permissions mechanism if the system supports it. That avoids the problems Fedora sees atm with file systems that do not support fscaps. See home:lnussel:fscaps for current state #9: Sławomir Lach (lachu) (2010-11-07 10:17:22) I doubt Posix Capabilities is more secure. Imagine, that program still is runned on user privileges + some capabilties. User can debug program, changing memory of it, etc. #12: Robert Davies (robopensuse) (2011-02-04 14:44:54) (reply to #9) The escalation of privilege is still controlled in way a suid root program would be, they have however a finer grained "just enough" level of privilege rather than the whole shebang. Suppose you find a way to overwrite stack in ping(1), if that does not permit you a root shell, but simply a privileged socket it is much harder to exploit the flaw in the program. You are right, capabilities should not be given to user owned programs. #10: Sławomir Lach (lachu) (2010-11-07 10:53:15) Maybe PolicyKit team will add support of PCaps to PKexec? In this case any process can run process with some capabilities, but also in different process group. #11: Ludwig Nussel (lnussel) (2010-11-24 13:29:38) fscaps support is now implemented in the permissions package. See ping in package iputils as example. #13: Konstantinos Koudaras (warlordfff) (2011-02-22 22:03:25) I proposed to look at this idea into GSOC ideas wiki page. We are looking for mentors so if anyone wants to help, please add your name in the wiki page (http://en.opensuse.org/openSUSE:GSOC_2011_Ideas ) #14: Ludwig Nussel (lnussel) (2011-11-07 10:49:20) I had to disable fscaps support again as last minute change for 12.1 since tar doesn't support fscaps but is used by kiwi to create images. Resulting appliances therefore don't work. #15: Cristian Morales Vega (reddwarf) (2012-04-14 14:35:25) (reply to #14) What's the current state? + #16: Cristian Rodríguez (elvigia) (2012-08-04 04:16:08) (reply to #14) + Well, according to https://bugzilla.redhat.com/show_bug.cgi?id=771927 + (https://bugzilla.redhat.com/show_bug.cgi?id=771927) it is fixed, + another better option is just to dump gnu tar and use bsdtar which is + able to preserve capabilities just fine. -- openSUSE Feature: https://features.opensuse.org/307254
participants (1)
-
fate_noreply@suse.de