From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1JdUuE-0000Pj-FS for garchives@archives.gentoo.org; Sun, 23 Mar 2008 18:26:54 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DEDF2E04EC; Sun, 23 Mar 2008 18:26:52 +0000 (UTC) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.187]) by pigeon.gentoo.org (Postfix) with ESMTP id 9B9B7E04EC for ; Sun, 23 Mar 2008 18:26:52 +0000 (UTC) Received: by fk-out-0910.google.com with SMTP id 18so3552425fkq.2 for ; Sun, 23 Mar 2008 11:26:52 -0700 (PDT) Received: by 10.78.118.5 with SMTP id q5mr11960034huc.62.1206296811776; Sun, 23 Mar 2008 11:26:51 -0700 (PDT) Received: from snowcone ( [213.121.151.206]) by mx.google.com with ESMTPS id p28sm3413075hub.59.2008.03.23.11.26.50 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 23 Mar 2008 11:26:51 -0700 (PDT) Date: Sun, 23 Mar 2008 18:26:45 +0000 From: Ciaran McCreesh To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] [SECURITY] Minimizing the suid usage Message-ID: <20080323182645.76fc5c86@snowcone> In-Reply-To: <9e0cf0bf0803231121t75eb67abu60f17f54086dd32@mail.gmail.com> References: <9e0cf0bf0803231121t75eb67abu60f17f54086dd32@mail.gmail.com> X-Mailer: Claws Mail 3.3.1 (GTK+ 2.12.9; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/SZvYmaTXK4mNxJsx1fFNOuf"; protocol="application/pgp-signature"; micalg=PGP-SHA1 X-Archives-Salt: 9381dbbf-5079-4226-a7e4-e1e471698292 X-Archives-Hash: aa298823ae9952c346769059d6dec0cc --Sig_/SZvYmaTXK4mNxJsx1fFNOuf Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Sun, 23 Mar 2008 20:21:29 +0200 "Alon Bar-Lev" wrote: > linux-2.6.24 supports file based capabilities via: > CONFIG_SECURITY_FILE_CAPABILITIES >=20 > This will provide more secured installation for users with a little > effort, less usage of root user. >=20 > What do you think? Needs package manager support. Effectively this requires an EAPI bump, since ebuilds need to know whether they can rely upon caps being preserved across a merge or whether they have to degrade to a setuid bit. Package manager support shouldn't be very hard, and there just needs to be a minimal interface for it, so an EAPI proposal shouldn't be tricky (and if there's call for it, you could ask for EAPI 2 being EAPI 1 + file caps). --=20 Ciaran McCreesh --Sig_/SZvYmaTXK4mNxJsx1fFNOuf Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQFH5qDn96zL6DUtXhERArybAKCqZdCsTIyN2YZRQN4ebqAE56TDdgCgnm9i VfjO6WvARtaAht3D0WjPwUM= =mB+I -----END PGP SIGNATURE----- --Sig_/SZvYmaTXK4mNxJsx1fFNOuf-- -- gentoo-dev@lists.gentoo.org mailing list