On Sun, Jul 7, 2013 at 12:21 AM, Ben Noordhuis <[email protected]> wrote: > On Sat, Jul 6, 2013 at 3:49 PM, richard -rw- weinberger > <[email protected]> wrote: >> "On Sat, Jul 6, 2013 at 2:18 PM, Ben Noordhuis <[email protected]> wrote: >>> On Sat, Jul 6, 2013 at 10:49 AM, richard -rw- weinberger >>> <[email protected]> wrote: >>>> Hi! >>>> >>>> Is node providing a mechanism to modify the current capability set on >>>> Linux? >>>> I'd like to drop some capabilities and limit the capability bounding set. >>> >>> You can drop root privileges with process.setuid(), process.setgid() >>> and process.initgroups(), which pretty much map 1-to-1 to the POSIX >>> functions of the same name. >> >> This has nothing do to with capabilities. > > I give you a friendly, informative and complete answer - and you > respond by being a rude jerk.
I think you better behave yourself, I did not call you a "jerk". >>> There is nothing in node.js core that lets you manipulate Linux >>> capabilities like capset() or prctl(PR_CAPBSET_DROP) do - nor will >>> there be, it's too platform-specific - >> >> Why? We have libcap-np which is POSIX. >> Node has already support for such functions. >> Like process.getgid(). > > There are no capabilities in POSIX, it's strictly a Linux thing. > You're probably thinking of POSIX ACLs. I was thinking of POSIX 1003.1e/2c. Linux's capabilities follow that draft. THO it's is only a draft but if I'm not mistaken other Unixes have also followed it. > For that matter, there is no libcap-np either. If that's a typo and > you meant libcap-ng, that too is strictly a Linux thing. > >>> but it's trivial to write a >>> small C++ add-on for it. There may be one (or several) already >>> available through npm. >> >> The only npm module I could find was "node-posix-caps-ng". >> But sadly the author does not seem to understand capabilities. >> The ->clear_caps() method is broken. It's easy to regain all capabilities. >> He did not honor the capability bounding set. >> >> So it is clearly not trivial to write such an add-on. > > Then I suggest you contact the author and set him straight. Or write > your own add-on and publish it. Will do. -- Thanks, //richard -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
