On 30/04/13 11:50, Joerg Schilling wrote:
Nikos Chantziaras <[email protected]> wrote:
Would you call someone who shoots himself into the foot "smart"?
Recent Linux kernels support fcaps in the filesystems and "somebody" evil, who
knows what he does may even set up fcaps on executable files when the related
support-software is not installed, just because the unstable kernel interfaces
are accessible from libc.
Do you like people to be able to open security holes?
You don't know what my intentions are and why I want to disable libcap.
I have my reasons. This happens because it is actually possible to
disable it.
I explained why not having libcap by default is a security risk.
You would need to explain your reasons, I currently cannot see a valid
reason to exclude a very small piece of security relevant software.
I already did that:
If I use the appropriate
"enable libcap" flag, and libcap is not there, or it's broken, or
whatever, I don't want to get a build that's now insecure. I want the
build to abort with a big, fat error.
Automagic deps are bad thing. I want to know what's going on, and need
to have a way to make sure that something is indeed enabled/disabled.
If you really don't like that, then you should probably make libcap
mandatory. Assume it's there, and if it's not, the user should get
compile errors.
If you don't like my explanations, you are free to explain your reasons.
I already did. The "you don't know what I intend" part is there to
cover use cases you cannot foresee. Just because we can't think of them
doesn't they don't exist.
But as long as it's not mandatory, I have my reasons why I would want to
disable it, just as I have my reasons why I would want to explicitly
enable it. What if autodetection fails? If I use the appropriate
"enable libcap" flag, and libcap is not there, or it's broken, or
whatever, I don't want to get a build that's now insecure. I want the
build to abort with a big, fat error.
I think you're too used to binary distros and Solaris to appreciate the
different requirements of source-based distros :-)
Solaris is source based too.....
I don't see how. Unless you mean that you can build from source on it.
Which isn't the same thing.
The real difference to Linux is that Solaris uses a kernel that is
auto-adjusting to the hardware and usage because it is fully dynamically loaded
and because all parameters adjust themself to any needed value as long as there
is enough kernel memory.
Gentoo isn't Solaris though. Automagic deps cause problems on user's
systems here.
Linux has a large statically linked part and in theory you may be able to
compile it without capabilities, but then you would still need to have the
userland support-code available to permit userland programs to find out whether
the current kernel includes support or not.
...it is a matter of understaning security related constraints...
Understanding the problems of automagic deps on source-based Linux is
also important.
Question though: if it's that important to have libcap, why do you
provide a way to build the software without it? Why not just make it
mandatory?
