-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/29/2011 11:36 AM, Greg KH wrote:
On Fri, Apr 29, 2011 at 08:38:44AM +0200, Marcus Meissner wrote:
On Thu, Apr 28, 2011 at 07:40:08PM -0400, Jeff Mahoney wrote:
On 04/28/2011 02:50 PM, Brandon Philips wrote:
On 13:35 Thu 28 Apr 2011, Jeff Mahoney wrote:
- - patches.suse/file-capabilities-disable-by-default.diff [never submitted]
We should drop it. Upstream has had file caps by default since Nov 2009.
Upstream commits: b3a222e52e4d4be77cc4520a57af1a4a0d8222d1 1f29fae29709b4668979e244c09b2fa78ff1ad59
In doing a zypper dup today, I saw that something is looking at /proc/cmdline for "file_caps" as part of SuSEconfig running. We should probably figure out what that is.
The SuSEconfig permissions module, it decides on whether to handle file caps setting or not depending on the kernel.
Ludwig wants a patch to detect this for years in the mainline kernel, but it is not there yet.
Can you please take care that such a method is exposed by mainline? (file_caps might be disabled or enabled, we should handle both cases and detect it from the kernel.)
The patch doing this in the kernel is queued up to be accepted for the .40 kernel release, so perhaps I should also add it to our tree now so that FACTORY can be converted over to using it and this can be dropped?
If so, just let me know and I will go add it as it is in my upstream kernel tree already.
And it was my fault that it took so long to get accepted for the past 6+ months, sorry, it got lost in my patch queue :(
This has now become interesting, it seems. I just noticed that /bin/ping has capabilities set and is no longer suid root on two of my factory machines. Consequently, it's not working unless I boot with file_caps on the command line. As to whether or not it's currently available, wouldn't something like the attached program work for that? I copied the security.capability attribute from /bin/ping to a test program (as root) and it gives me val=0 on my system without file_caps and val=1 on my system with it when I run it with an unprivileged user. - -Jeff - -- Jeff Mahoney SUSE Labs -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk3cYzgACgkQLPWxlyuTD7LV7QCfbRfX7cWwOfuprKSJ8IoPLInk d48AoKezMiMblfX6aw+UySwtGJmUPEe4 =7yjj -----END PGP SIGNATURE-----