From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1JdlA6-0001Pu-V6 for garchives@archives.gentoo.org; Mon, 24 Mar 2008 11:48:23 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 40D9BE07A0; Mon, 24 Mar 2008 11:48:21 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 1B787E07A0 for ; Mon, 24 Mar 2008 11:48:21 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 010946786B; Mon, 24 Mar 2008 11:48:20 +0000 (UTC) From: Mike Frysinger Organization: wh0rd.org To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] [SECURITY] Minimizing the suid usage Date: Mon, 24 Mar 2008 07:50:50 -0400 User-Agent: KMail/1.9.7 Cc: "Alon Bar-Lev" References: <9e0cf0bf0803231121t75eb67abu60f17f54086dd32@mail.gmail.com> In-Reply-To: <9e0cf0bf0803231121t75eb67abu60f17f54086dd32@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1427760.TLK7VLC5n8"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200803240750.50816.vapier@gentoo.org> X-Archives-Salt: 035af087-36c1-499f-8463-cb7d5689da63 X-Archives-Hash: 505204bb7c094460e2a7cc38bacc5d30 --nextPart1427760.TLK7VLC5n8 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 23 March 2008, Alon Bar-Lev wrote: > linux-2.6.24 supports file based capabilities via: > CONFIG_SECURITY_FILE_CAPABILITIES > > This enables the use of filesystem attributes in order to store per > executable capabilities list, more information at [1]. > > This enables improved security level for people who don't wish to move > into SELinux or similar. > > I think a new global USE flags (or use current caps) may enable > ebuilds to set correct capabilities on files. Diego and i were talking ... we're going to go with USE=3Dfilecaps because = it's=20 so new and doesnt require the libcap library in order to work at runtime. = =20 probably be worthwhile to put together a little eclass of functions to make= =20 people's lives easier ... =2Dmike --nextPart1427760.TLK7VLC5n8 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iQIVAwUAR+eVmkFjO5/oN/WBAQKu7hAAlt6WkEW1gzbRG4DyBp+nUr8n9bk5ZtxU ZGi/7AOb0rAPjf0v60XrMPCoEuJyUTEkK3IDK3cYMODDBJ+cZ/6ED2P1STVIPLvx DNi3dZmzlpY7LNsIvzWtNEz9ZdgRtwwdcL1Ftvhq+hJSbpSs6WDII+CQwx229849 oclOOuUphELdDYqirNJpntdD1ziyXMxtRX/1oTVWfWeENfH4FVqP8i3uoxd5s2Xu c6bTbkVPNX7HCW78e0NIcrRA/peZu4JiLUnPVBrYe0ORcpKB2X67xaxmToQ4OApb Xg1ytywgBdpxUARmj6NH0uobgsDF9hc6yahH/2EDWWlB5IcZiqR5hIEPqJjDbptV x+++6VDeeQk7OQci1eoRoUSK+volfXcJIu2rjwcg4Q3NAKO98ALeuhpFLRnwTO32 9eCvBURwYHbWlOIu+oXU4wBMGS4YcuYH9U0qegfldrTICb7DEqH6DazQx21ZdYQX w+syWXMT84P47sBkk706BIopU6Hqgopk6Nae3D/LNx8MOKJC5mqoQTNv4x6+NjAv /qrpAiOyAblSo5QKoO4sOlg09QPn88amE+fSo00rxNR162WZhcz756GNmjcZomim CX+aaa2NIpltcwwZkqCX/loMEPam7B/L55RB/9XVSMeSIVJegRnhhbbXompGIQZ8 hG4TXQLrGZk= =4o5v -----END PGP SIGNATURE----- --nextPart1427760.TLK7VLC5n8-- -- gentoo-dev@lists.gentoo.org mailing list