[gentoo-dev] RFC: iotop needs to run as root after kernel change
Hi, after this change https://github.com/torvalds/linux/commit/1a51410abe7d0ee4b1d112780f46df87d3621043 iotop cannot be used as user anymore. Any suggestions how to proceed? The solution I see are 1. Leave it to root (Fedora and Suses way) 2. suid it (bad in my view) 3. file capabilities (can this be done with portage) Please comment and help me with the right proceeding. justin signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] RFC: iotop needs to run as root after kernel change
On 4/4/12 8:32 AM, justin wrote: 1. Leave it to root (Fedora and Suses way) I think that's the best option, at least for now. 2. suid it (bad in my view) Agreed, that'd be very bad, any crashing bug in it could become a privilege escalation problem. 3. file capabilities (can this be done with portage) Slightly better than the above, but I still prefer #1. signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] RFC: iotop needs to run as root after kernel change
Il 04/04/2012 08:43, Paweł Hajdan, Jr. ha scritto: On 4/4/12 8:32 AM, justin wrote: 1. Leave it to root (Fedora and Suses way) I think that's the best option, at least for now. 2. suid it (bad in my view) Agreed, that'd be very bad, any crashing bug in it could become a privilege escalation problem. 3. file capabilities (can this be done with portage) Slightly better than the above, but I still prefer #1. Or default to 1. but provide a use flag to achieve 3. net-wireless/kismet uses 'suid', maybe other use 'caps' use flags? Hopefully others can answer on how to apply capabilities to executables
Re: [gentoo-dev] RFC: iotop needs to run as root after kernel change
justin schrieb: iotop cannot be used as user anymore. Any suggestions how to proceed? Leave it to root (Fedora and Suses way) suid it (bad in my view) I suggest to have a suid USE flag (disabled by default) so the user can choose between the two. Maybe advertise this change in an elog message. Best regards, Chí-Thanh Christopher Nguyễn
Re: [gentoo-dev] RFC: iotop needs to run as root after kernel change
2012/4/4 Chí-Thanh Christopher Nguyễn chith...@gentoo.org: justin schrieb: iotop cannot be used as user anymore. Any suggestions how to proceed? Leave it to root (Fedora and Suses way) suid it (bad in my view) I suggest to have a suid USE flag (disabled by default) so the user can choose between the two. Maybe advertise this change in an elog message. Doesn't FEATURES=suidctl already cover crap like this? -A Best regards, Chí-Thanh Christopher Nguyễn
Re: [gentoo-dev] RFC: iotop needs to run as root after kernel change
On Wed, 04 Apr 2012 08:32:41 +0200 justin j...@gentoo.org wrote: 3. file capabilities (can this be done with portage) It can't. We've had discussions about caps before, and I imagine it would get into EAPI 5 without objections if you can come up with a spec that describes how it should work (bear in mind that some of the target filesystems might not support caps). -- Ciaran McCreesh signature.asc Description: PGP signature
Re: [gentoo-dev] RFC: iotop needs to run as root after kernel change
On Wed, Apr 04, 2012 at 08:32:41AM +0200, justin wrote: Hi, after this change https://github.com/torvalds/linux/commit/1a51410abe7d0ee4b1d112780f46df87d3621043 iotop cannot be used as user anymore. Any suggestions how to proceed? The solution I see are 1. Leave it to root (Fedora and Suses way) Please leave it this way, the information leakage otherwise is too big of a risk to do anything else. greg k-h
Re: [gentoo-dev] RFC: iotop needs to run as root after kernel change
On 04/04/12 14:56, Greg KH wrote: On Wed, Apr 04, 2012 at 08:32:41AM +0200, justin wrote: Hi, after this change https://github.com/torvalds/linux/commit/1a51410abe7d0ee4b1d112780f46df87d3621043 iotop cannot be used as user anymore. Any suggestions how to proceed? The solution I see are 1. Leave it to root (Fedora and Suses way) Please leave it this way, the information leakage otherwise is too big of a risk to do anything else. greg k-h Thanks for all your responses. I will follow what was suggested by upstream and what is the best from my feelings and restrict it to be root only. justin signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] RFC: iotop needs to run as root after kernel change
On Wed, Apr 4, 2012 at 2:32 AM, justin j...@gentoo.org wrote: 2. suid it (bad in my view) 3. file capabilities (can this be done with portage) iotop is a python script, so these were not really options anyway. Unless you wrote a wrapper in C or something. :)