[arch-general] file system capabilities
Jan de Groot
jan at jgc.homeip.net
Wed Nov 4 10:15:58 EST 2009
On Wed, 2009-11-04 at 20:42 +0530, Shridhar Daithankar wrote:
> Hi,
>
> I was reading thr. /. commentary on the latest linux kernel bug, got drifted
> into file system capabilities. and got this, (from
> http://lwn.net/Articles/313838/)
>
> [root at presario shridhar]# ls -la /bin/ping
> -rwsr-xr-x 1 root root 33360 2008-10-04 17:48 /bin/ping
> [root at presario shridhar]# chmod u-s /bin/ping
> [root at presario shridhar]# setcap cap_net_raw=ep /bin/ping
> [root at presario shridhar]# ls -al /bin/ping
> -rwxr-xr-x 1 root root 33360 2008-10-04 17:48 /bin/ping
> [root at presario shridhar]# exit
> shridhar at presario ~$ ping 192.168.1.5
> PING 192.168.1.5 (192.168.1.5) 56(84) bytes of data.
> 64 bytes from 192.168.1.5: icmp_seq=1 ttl=64 time=0.219 ms
> 64 bytes from 192.168.1.5: icmp_seq=2 ttl=64 time=0.354 ms
> ^C
> --- 192.168.1.5 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 999ms
> rtt min/avg/max/mdev = 0.219/0.286/0.354/0.069 ms
>
> so can this be done by default? thus reducing setuid usage? it should improve
> security right?
This can be done by default, but capabilities aren't preserved when
making tarballs. Every capability has to be set from
post_install/post_upgrade in such cases. Maybe this is something worth
to implement though.
More information about the arch-general
mailing list