From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LIMaL-0006V5-63 for garchives@archives.gentoo.org; Thu, 01 Jan 2009 12:23:33 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BAAB5E03F2; Thu, 1 Jan 2009 12:23:31 +0000 (UTC) Received: from mailgate.internet.lu (mailgate.internet.lu [195.218.0.131]) by pigeon.gentoo.org (Postfix) with ESMTP id 93670E03F2 for ; Thu, 1 Jan 2009 12:23:31 +0000 (UTC) Received: from silis.lu (mail.internet.lu [195.218.0.91]) by mailgate.internet.lu (Postfix) with SMTP id A3D434CC0E3 for ; Thu, 1 Jan 2009 13:23:42 +0100 (CET) Received: from 195.218.24.251 by 195.218.0.91 INC_SMTP_SERVER 2.48; Thu, 01 Jan 2009 13:20:36 +0100 Received: from neptune.home (neptune.home [IPv6:2001:960:7ab:0:2c0:9fff:fe2d:39d]) by smtp.home (Postfix) with ESMTP id CFBDF13BE0; Thu, 1 Jan 2009 13:23:28 +0100 (CET) Date: Thu, 1 Jan 2009 13:23:27 +0100 From: Bruno To: gentoo-dev@lists.gentoo.org Cc: ciaran.mccreesh@googlemail.com, Alon Bar-Lev , Mike Frysinger Subject: Re: [gentoo-dev] [SECURITY] Minimizing the suid usage Message-ID: <20090101132327.5ccc0413@neptune.home> In-Reply-To: <20080805095412.20a34d82@snowcone> References: <9e0cf0bf0803231121t75eb67abu60f17f54086dd32@mail.gmail.com> <20080805105109.13425b14@pluto.restena.lu> <20080805095412.20a34d82@snowcone> X-Mailer: Claws Mail 3.6.1 (GTK+ 2.12.11; i686-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 1224f633-ac44-41ca-aba0-a2cfd3e8434e X-Archives-Hash: c38f741e1851ecc04cf2a36d942eb016 On Tue, 05 August 2008 Ciaran McCreesh wrote: > On Tue, 5 Aug 2008 10:51:09 +0200 Bruno Pr=C3=A9mont wrote: > > Has any progress happened since March for adding support for > > FILE_CAPABILITIES? >=20 > Well, Alon still hasn't backed up his claim that Portage supports > capabilities... Fairly important to establish that before anything > else... >=20 In case the package manager has trouble with attributes (or the target filesystem does not support them) a way to keep the system running would be to apply the capabilities during src_install and have the eclass check during pkg_postinst, eventually retrying and finally falling back to suid at that point. Even binpkg would be handled that way. For this to work the eclass would have to remember the list of files from src_install until pkg_postinst so that it can do all the work once again (with a single call from the ebuild). Bruno