[arch-general] [wiki] Using File Capabilities Instead Of Setuid
Gerardo Exequiel Pozzi
vmlinuz386 at yahoo.com.ar
Mon Mar 23 19:22:34 EDT 2009
Hi people,
I created a interesting article wiki page for the new libcap 2 (from
Hugo Doria) package that are in [testing] now.
It cover all [core] packages that have setuid-root (all works fine), and
the xorg-server(*) from [extra].
I invite all those who want to work with other packages that use setuid
in [extra] and [community]
(*) Preliminary ideas/tips for Xorg that not are currently in the wiki page:
For example if you have a nvidia card, and if the kernel module isn't
loaded when X start, The Xorg will load it, and create the necessary
devs files (/dev/nvidia0 and /dev/nvidiactl). So there are two ways to
do this load the kernel module before startx, and create device files
manualy, or assing two more capabilities to Xorg (not a good idea)
The minimun capabilities required:
setcap cap_chown,cap_dac_override,cap_sys_rawio,cap_sys_admin+ep
/usr/bin/Xorg
If grant to load kernel modules and create devices nodes (_bad idea_):
setcap
cap_chown,cap_dac_override,cap_mknod,cap_sys_module,cap_sys_rawio,cap_sys_admin+ep
/usr/bin/Xorg
* cap_sys_admin: Seems that running xorg under VirtualBox isn't needed.
* cap_chown is required for chown the "devs tty" on X start/stop
* cap_sys_rawio is for accesing to /dev/mem (this will be became
obsolete for KMS [Kernel Mode Setting])
* cap_dac_override is for writing the logs.
Take Care
--
Gerardo Exequiel Pozzi ( djgera )
http://www.djgera.com.ar
KeyID: 0x1B8C330D
Key fingerprint = 0CAA D5D4 CD85 4434 A219 76ED 39AB 221B 1B8C 330D
More information about the arch-general
mailing list