coreutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [coreutils] [patch] Re: Install enhancement request: capabilities

From: Yaron Sheffer
Subject: Re: [coreutils] [patch] Re: Install enhancement request: capabilities
Date: Thu, 04 Nov 2010 15:08:39 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6 
Hi Pádraig,
it's somewhat cleaner to have all the security-critical settings in one place: owner, group, permissions, capabilities (and grep for "-P" or "--capabilities"...). Plus you can rely on "install" to always be there, which I don't think is true for "setcap". 

Thanks,
    Yaron

On 11/04/2010 02:55 PM, Pádraig Brady wrote:

On 04/11/10 11:08, Pádraig Brady wrote:

Thanks for the patch!
I think the feature is worth it.

Currently install does not preserve xattrs
and so looses any previous capabilities
associated with a file.

In any case, capabilities don't need to be implemented
using xattrs, and might not be on tmpfs on Linux
for example when support is eventually added there.

One tricky thing I noticed with capabilities,
is that one needs to do after setting any ownership,
which you do correctly in the patch.

On the other hand one can always just call
`setcap` after `install` for the few files that require it.
Having `install` support it means you don't need a separate
setcap util, but it also means that one can't just
grep for "setcap" in a bunch of rpms for example
to see what capabilities are set on the system.
Also using the `setcap` util is slightly more flexible
in failure modes (optionally failing if all/some/none are set)

So I'm back to 55:45 against this one.

cheers,
Pádraig.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]