that makes sense. as of linux 2.6.26 however, setcap cap_sys_nice=+ep can be used for that instead
most/all reasons why you would want to run as root can be handled through capabilities. Are there any nixos modules to set these? Also, the boundary between nixos and nixpkgs is not fully clear to me considering permissions (setuid/capabilities). For something "drastic" as setuid, it's clear that the sysadmin should be in control when deciding which binaries get it (the way it is now). However, for relatively harmless capabilities (raw packets for "ping"), I would like packages to be able to set these themselves. You can't expect the sysadmin to know about all these cases. Of course we don't want malicious users to write their own derviations to abuse that power, so it would be nice if packages just contain the capabilities they can use, and have a nixos "capTrustedPackages" setting to effectuate them. what do you (and others) think of this? And about using capabilities in general? Thanks Mathijs On Tue, Jan 3, 2012 at 11:54 PM, Eelco Dolstra <[email protected]> wrote: > Hi, > > On 03/01/12 23:53, Mathijs Kwik wrote: > >> I noticed setuid-wrappers.nix contained cdrdao, wodim and growisofs, >> all cd/dvd burning tools. >> Is there a reason for this? on Arch they aren't. >> it seems udev + consolekit take care of setting an RW acl on /dev/sr0 >> for the user that's logged in/active on the console. Furthermore, >> group "cdrom" has write access to that device. > > If I remember correctly, it's to allow them to get realtime priority. > > -- > Eelco Dolstra | http://www.st.ewi.tudelft.nl/~dolstra/ _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
