On 5/22/07, Randy McMurchy <[EMAIL PROTECTED]> wrote: > Robert Connolly wrote: > > I found a page which tries to explain why it was abandoned: > > http://www.madore.org/~david/linux/newcaps/#abandoned > > > > > > So, for the time being, linux > > capabilities are the only way to give non-root users permission to read, or > > write, to superuser resources, like ntpd does. In other words, libcap has > > not > > been replaced by anything, and isn't going away any time soon. > > Dan and Robert, thanks for the explanations. Seems as though > it is useful. Now the question is, what patches should be > applied? > > As Dan mentioned, I added a patch to the repo a couple of > months back, but Dan says it is an overkill in that many > of the additions to the capabilities that the RedHat patch > provides aren't necessary. I really am not qualified to > make an assessment as to what is really necessary.
I'm sure Robert knows a hell of a lot more about kernel/libc interfaces, but I'll just toss in my 2 cents. The fedora patch does one thing I'm really not fond of. It adds a static version of linux/capability.h into sys/capability.h instead of #include <linux/capability.h>. I'd much rather just use the sanitized one from the kernel so long as it works (which it appears to do). Besides that, though, most of the changes are just to make the build better. This is where I got my "the minimal thing to do is remove the two _sycall2 declarations". On the other hand, the Owl patches are more invasive in that they change code some. Not the API or anything, but adding some code to be more robust and removing some unnecessarily exported symbols from the header. For instance, some sprintf's (which can have buffer overflows) are changed to snprintf's (which take a max buffer size as an argument). Are all those changes OK? I don't really know, but I trust Robert. So, the patchsets do some different things and I'm not sure which I prefer. I wouldn't have any problems with the Owl patches, although it does sort of conflict with how other packages are handled in BLFS. I also wouldn't have any problems with the Fedora patches, except for the <linux/capability.h> thing mentioned above. -- Dan -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
