-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Panu Matilainen wrote: > I'm ok with adding the functionality they provide, but I think we should > use libcap and libacl instead of looking at the extended attributes > directly. libacl and libcap provide a portable interfaces (POSIX drafts) > to the features whereas extended attributes are basically just an > Linux/filesystem specific implementation detail (AFAIK).
If I was familiar with how rpm tracks files and meta-data, I'd be happy to supply a libcap using patch for the rpm code. However, I'm not at all up to speed on the rpm source code. What was easy though was to add a '-v' option to libcap's (2.14) setcap utility. You can use it to verify that the capabilities on a file are what you expect them to be: Set the capability: $ sudo ./setcap cap_setfcap=i setcap Verify the capability: $ ./setcap -v cap_setfcap=i setcap setcap: OK $ The source code change was pretty trivial. http://git.kernel.org/?p=libs/libcap/libcap.git;a=blobdiff;f=progs/setcap.c;h=65a1cb49438d1dd7991bd306b40460fe3d0b35ea;hp=0501a9d95665a3ac388cbc164f6a8ca1011693a7;hb=9da338a75b5ae27e3f4226d214977a921d644e60;hpb=9f2e7c5245fc3100ed08d8a133f80afd88e81632 Basically: cap_t ref = cap_from_text(text_for_reference_caps); cap_t actual = cap_get_file(filename); if (actual == NULL) { /* assuming you want to treat no file caps as equivalent to "set as empty", this may or may not be appropriate for a package manager. */ actual = cap_from_text("="); } if (cap_compare(actual, ref) == 0) { // they are the same } else { // not same } cap_free(ref); cap_free(actual); Hope that helps Cheers Andrew PS: http://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFJA/jKQheEq9QabfIRAj7hAJ9wJFpYRFkkpCBHik1vV3b03kxByQCfRIk6 gaBpcACVGWodlS8dfUc8Li4= =QInA -----END PGP SIGNATURE----- _______________________________________________ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
