On 08/02/2011 03:08 AM, Michał Górny wrote: > On Sun, 31 Jul 2011 16:00:40 -0400 > "Anthony G. Basile" <bluen...@gentoo.org> wrote: > >> On 07/31/2011 03:46 PM, Nirbheek Chauhan wrote: >>> On Sun, Jul 31, 2011 at 8:13 PM, Anthony G. Basile >>> <bluen...@gentoo.org> wrote: >>>> Hi everyone, >>>> >>>> A couple of days ago, bonsaikitten (Patrick), kerframil (Kerin >>>> Millar) and myself were talking about other distros moving away >>>> from setuid binaries towards caps. Openwall and Fedora are now >>>> setuid-less [1]. Some googling showed that Constanze has done >>>> quite a bit of work in the area and that there was a consensus to >>>> include functions to set caps within portage [2]. I don't know >>>> what, if anything has been done since then, but I'd like to lend >>>> my support. >>>> >>> One problem that came up was that a lot of people use tmpfs for >>> /var/tmp/portage, and tmpfs doesn't support xattrs which are needed >>> for setting caps. >>> >>> Linux 3.0 has added support for xattrs with tmpfs (the redhat folks >>> did the work, afaik), so that problem is partly solved now. >> >> I know, there are lots of places where xattrs is not supported that >> lead to the same problem. I'm tempted to respond with pkg_postinst() >> but I see QA problems written all over that. > > We can either do that or 'Future EAPI' capsetting in PMS. Then, a PM > could implement capsetting functions in a such way that they will > preserve caps internally to PM and re-set them when merging to livefs. >
I prefer capsetting in the PMS itself, with a nice clean function which auto detects all the necessary conditions and transparently preserves caps, as you suggest. Maybe this can be in EAPI=5. I'm also wondering if, in the mean time, it might be worth writing a bash script and/or howto on converting as many binaries as possible from setuid to caps --- hitting up all the usual suspects. Its not ideal but might still be useful until we get this squarely in the PMS. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : bluen...@gentoo.org GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535
