Fedora 11: moving to posix file capabilities?
David P. Quigley
dpquigl at tycho.nsa.gov
Wed Oct 29 21:50:36 UTC 2008
On Wed, 2008-10-29 at 17:02 -0400, Bill Nottingham wrote:
> seth vidal (skvidal at fedoraproject.org) said:
> > > Are we ready to start considering moving away from SUID bits to
> > > capabilities, in Fedora 11 maybe?
> >
> > How does that mesh with networked file systems (nfs, samba)?
>
> I don't have firsthand knowledge, but I would suspect 'badly'.
>
> Bill
>
Since the capabilities are stored in xattrs they will run into the same
problems that SELinux does. Labeled NFS is working to address this by
providing a per file attribute through NFSv4 for extra security
information. Additionally you could try NFSv4 named attributes for
capabilities but we have found that named attributes do not provide the
semantics needed for our purposes and would require changes to the NFSv4
xattr handler to use a hardcoded attribute name. The possibility of
multiple attributes being sent at the same time was initially raised by
BSD's MAC framework so we will have to look into separating the security
attribute into sections by some identifier (DOI maybe?).
Dave
More information about the fedora-devel-list
mailing list