From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 5511 invoked from network); 21 Sep 2004 17:43:49 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 21 Sep 2004 17:43:48 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1C9og7-0005kf-IQ for arch-gentoo-dev@lists.gentoo.org; Tue, 21 Sep 2004 17:43:47 +0000 Received: (qmail 5277 invoked by uid 89); 21 Sep 2004 17:43:46 +0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 1919 invoked from network); 21 Sep 2004 17:43:46 +0000 From: Rumen Yotov Reply-To: rumen_yotov@dir.bg To: gentoo-dev@lists.gentoo.org In-Reply-To: <1095778692.7848.22.camel@cgianelloni.nuvox.net> References: <1095698465.10417.24.camel@antares.hausnetz> <200409211549.56435.pauldv@gentoo.org> <1095776499.7814.17.camel@cgianelloni.nuvox.net> <200409211645.52735.pauldv@gentoo.org> <1095778692.7848.22.camel@cgianelloni.nuvox.net> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-840J2bsVVthDAgraUFeI" Message-Id: <1095788610.10960.9.camel@mymach.qrypto.org> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Tue, 21 Sep 2004 20:43:35 +0300 Subject: Re: [gentoo-dev] USE="acl" in profiles X-Archives-Salt: 03da9ada-d4ae-4306-bb35-a4a094ee17b0 X-Archives-Hash: 2f07ee1720e98234443b44c9d5e38bc4 --=-840J2bsVVthDAgraUFeI Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On =D0=B2=D1=82, 2004-09-21 at 17:58, Chris Gianelloni wrote: > On Tue, 2004-09-21 at 10:45, Paul de Vrieze wrote: > > On Tuesday 21 September 2004 16:21, Chris Gianelloni wrote: > > > before they could use any acl, but I believe that they should be able= to > > > enable it in the kernel without having to have USE=3Dacl... can anyon= e > > > confirm this? If not, I'll have to get some testing done on it. > >=20 > > Yes, you can enable it in the kernel without. Those patches mainly make= =20 > > coreutils, rsync and others acl aware, keeping acl's with files. You'll= also=20 > > want to have the attr and acl packages. >=20 > In that case, consider it removed from the 2004.3 cascaded profile, > which I will be creating for x86 before too long. Hi, Could i suggest you include 'acl' in hardened 2004.3-stages & profiles? running: #emerge system -epv | grep acl gives: [ebuild N ] sys-apps/acl-2.2.13-r3 -debug +nls 0 kB [ebuild N ] sys-apps/coreutils-5.2.1-r2 +acl -build -debug +nls (-selinux) -static (-uclibc) 0 kB [ebuild N ] net-misc/rsync-2.6.0-r3 +acl -build -debug -static 0 kB [ebuild N ] app-editors/vim-core-6.3-r2 +acl -debug +ncurses +nls (-selinux) 0 kB [ebuild N ] app-editors/vim-6.3-r1 +acl -cscope -debug +gpm -minimal +ncurses +nls +perl +python -ruby (-selinux) -vim-with-x 0 kB (sys-apps/acl is only 121 KB in size). There are 5 packages including sys-apps/acl which use acl in the base system. Besides this using ACL compliments grsec2 in protecting dirs and files. Enabling ACL in the kernel for etx2/3, reiserfs, xfs completes the picture for a hardened install. Think that ACLs are good addition to ordinary Unix/Linux permissions. Thanks. Rumen --=-840J2bsVVthDAgraUFeI Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQBBUGhAw4vKYiLy/AsRAjsLAJ4gqdXUzzXxEx4Gbiyf9aiGYKH9YACdGSDj erBb2cxvr4h9nqdCfIRY2RQ= =+dRq -----END PGP SIGNATURE----- --=-840J2bsVVthDAgraUFeI--