On Apr 9, 2011, at 3:50 PM, Tomasz Pala wrote: > On Sat, Apr 09, 2011 at 15:34:55 -0400, Jeff Johnson wrote: > >>>> There's no known reason why xattr's can't be done in other ways. >>> >>> Like what? >> >> Like not having RPM attach xattr's. > > Please tell me how to do root-free (capabilities-based) system without > xattrs in rpm - doing this outside upgrade procedure leaves window for > making system unusable in cases like power failure. >
You asked for me to explain "other ways". I am not obligated nor inclined to argue security packaging with anyone in public. I quite well know what *I* would do instead; but the issue here is what *you* want to do in PLD. > Now we're using some dumb solutions like 'admin' group for SUID ICMP ping > instead attaching proper file capabilities. In long term we should > remove ALL SUID binaries from distribution, as this approach is broken > by design and should be obsoleted 10 years ago. > That is your right and privilege to do whatever you wish to do. But unlike other dstros, PLD usually does sensible engineering. The only reason I replied is because Patryk said: > Not sure about PLD but I suppose we just followed what the others were > doing. Other distros did it this way so they could set proper selinux > attributes. basically arguing "Do what everyone else is doing." when the reality is actually that SELinux wussed out on proper engineering 5+ years ago (and is considerably improved since). 73 de Jeff
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ pld-devel-en mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
