[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fedora 11: moving to posix file capabilities?



On Wed, 2008-10-29 at 17:02 -0400, Bill Nottingham wrote:
> seth vidal (skvidal fedoraproject org) said: 
> > > Are we ready to start considering moving away from SUID bits to 
> > > capabilities, in Fedora 11 maybe?
> > 
> > How does that mesh with networked file systems (nfs, samba)?
> 
> I don't have firsthand knowledge, but I would suspect 'badly'.
> 
> Bill
> 

Since the capabilities are stored in xattrs they will run into the same
problems that SELinux does. Labeled NFS is working to address this by
providing a per file attribute through NFSv4 for extra security
information. Additionally you could try NFSv4 named attributes for
capabilities but we have found that named attributes do not provide the
semantics needed for our purposes and would require changes to the NFSv4
xattr handler to use a hardcoded attribute name. The possibility of
multiple attributes being sent at the same time was initially raised by
BSD's MAC framework so we will have to look into separating the security
attribute into sections by some identifier (DOI maybe?).

Dave 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]