Fedora 11: moving to posix file capabilities?
Steve Grubb
sgrubb at redhat.com
Sat Nov 1 14:12:45 UTC 2008
On Saturday 01 November 2008 03:14:05 Dax Kelson wrote:
> On Sat, 2008-11-01 at 01:09 -0600, Dax Kelson wrote:
> > On Wed, 2008-10-29 at 15:02 -0400, Steve Grubb wrote:
> > > We tried to support this in F-10 by having a test run with ping. We
> > > figured that is a simple well defined app that could be used as a test
> > > subject. We opened bz 455713 to document the change over. Turns out
> > > that people compile their own kernels and do not necessarily turn this
> > > on. So, what do we do in that case?
> >
> > I thought more about this.
> >
> > How about a check in rc.sysinit to see if the kernel supports
> > capabilities?
> >
> > If the check fails it could do either or both of the following:
> >
> > 1. Display and log nasty warning message
> > 2. Run the command: chmod u+s `cat /etc/posixcapbinaries`
I don't like self modifying systems. It can generate audit events and cause
aide to complain.
> > Doing 2. would be the "friendly" thing to give the user a non-broken
> > system. It does make it a bit more complicated because you'd want some
> > logic that if they booted back to a kernel with posix capabilities you
> > stripped the suid bits. Also, rpm verity will complain.
>
> Another idea.
>
> Leave all the binaries with SUID bit set, but have the /etc/fstab have
> 'nosuid' on all the filesystems.
The file system capabilities inside the kernel are treated as if they were
suid apps. IOW, nosuid also disables file system capabilities.
-Steve
More information about the fedora-devel-list
mailing list