[arch-dev-public] providing grsecurity in [community]

Thomas Bächler thomas at archlinux.org
Wed Apr 16 08:24:12 EDT 2014


Am 16.04.2014 14:16, schrieb Allan McRae:
> Getting off-topic... 

Indeed.

>  but only one package in our repos uses setfacl
> (systemd on the journal directory) in its install script, and seven use
> setcap.  Getting the majority case fixed is still worth including this
> in my opinion.  We can deal with get/setfacl when fakeroot does
> properly.  Any chance you can take that upstream?

I don't really have the time now, maybe some time on the weekend. From
what I saw quickly, the solution is merely to remove all the function
overrides for the acl_* functions from libfakeroot.c. Unless you beat me
to it, I'll test this on the weekend.

> Also, I really thought setcap would be used in more install scripts!

It becomes really bad when upstream uses it in the Makefile (like
systemd does) and the maintainer does not add this it to the .install
manually.

But indeed, many more setuid binaries should make use of file
capabilities instead.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20140416/27d50ec6/attachment.asc>


More information about the arch-dev-public mailing list