From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Jdn5A-0002a2-Ki for garchives@archives.gentoo.org; Mon, 24 Mar 2008 13:51:24 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DDD85E069E; Mon, 24 Mar 2008 13:51:22 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id BC099E069E for ; Mon, 24 Mar 2008 13:51:22 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id B04B2679D3; Mon, 24 Mar 2008 13:51:21 +0000 (UTC) From: Mike Frysinger Organization: wh0rd.org To: "Alon Bar-Lev" Subject: Re: [gentoo-dev] [SECURITY] Minimizing the suid usage Date: Mon, 24 Mar 2008 09:53:51 -0400 User-Agent: KMail/1.9.7 Cc: gentoo-dev@lists.gentoo.org References: <9e0cf0bf0803231121t75eb67abu60f17f54086dd32@mail.gmail.com> <200803240750.50816.vapier@gentoo.org> <9e0cf0bf0803240527y18b173f7id679c061e7bf8975@mail.gmail.com> In-Reply-To: <9e0cf0bf0803240527y18b173f7id679c061e7bf8975@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1368544.L4KZfQ6Mfz"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200803240953.52578.vapier@gentoo.org> X-Archives-Salt: 9df4e865-f9c7-4d38-91bc-7aae72da24da X-Archives-Hash: 077e3ff2511ca69878e8f1f592191294 --nextPart1368544.L4KZfQ6Mfz Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 24 March 2008, Alon Bar-Lev wrote: > On 3/24/08, Mike Frysinger wrote: > > Diego and i were talking ... we're going to go with USE=3Dfilecaps beca= use > > it's so new and doesnt require the libcap library in order to work at > > runtime. probably be worthwhile to put together a little eclass of > > functions to make people's lives easier ... > > Great!!! > You write eclass, me start patching ebuilds and open bugs against > maintainers :) eclass wrapping will also allow us to abstract away the fun OS details, but= =20 we'll start with linux for now. how much do we want to help the user ? if they have USE=3Dfilecaps, then d= ont=20 perform any checking ? we'll need a kernel with file capabilities turned o= n,=20 otherwise the prog wont work unless it's setuid ... so do we perform checki= ng=20 and drop the setuid bit on the post sly ? i'd prefer we just make the=20 filecaps desc verbose: dont set this unless you have new enough kernel with= =20 options enabled, otherwise things may stop working properly as non-root. =2Dmike --nextPart1368544.L4KZfQ6Mfz Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iQIVAwUAR+eycEFjO5/oN/WBAQJHGhAAjUQ4Js8k/Zqu75R3Aeiod0EaO0pHaSPv 9jJvCc81LJfUCUQwl5No20yeJxFcJA9v5YRKkVuZZJ0AZC0TUUe/gjzb2QgCwInP AoaMmMq3yh3fhymqMt0iMSRsRbBdNEsewQsFvLmTBOtvy191q7tE8K25kbj8jFBs xi8FXUjNfxtMeFar8rrOYT6xfDHRlNAY/55mokFvjOb+LyQuuLiu0TZAQtRDgmCd OweiRmhLH9me9ghbSEi7FC3ha4WEGkebnGGX2n05VKSjic2epmXV9g/mtQ3wGXqp EiuYJdn9whh2DK6k69JpIM1LVWDrcWik3z7+vqVVufNGSsD8fTOtzpkdrHCpguJ1 9P4GosFdDG95QariJDfJeulj4qP7MqQGq3ueto274T4+kjas3+vlkgSmzYSoGrNW E924yARN+h4QKbiVK1UDOW9Yo17N1XnhhOgeDnHML118kyp3VprlVyrZ8KHlU10J aRkC+msYkKTB8WGxH540w7MtQWR6UjIbGD+r40VsHGERV/f0h1X5+hl4UPPSpRG5 81SRbRKv1DT8FeZmRVjEzrk2KXXNm1GKx7H9XgxWpiY1E9lcYtROtBlhIoUj/Wxm nybaI/B8xJ74oQBPuPF7xTqLyR2dTcj8s9ACQuq1YTGl12H7DHwL6EpuqeZl5DQu SoQYpZv0Uv8= =Utfq -----END PGP SIGNATURE----- --nextPart1368544.L4KZfQ6Mfz-- -- gentoo-dev@lists.gentoo.org mailing list