Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
A bid to resurrect Linux capabilitiesA bid to resurrect Linux capabilitiesPosted Sep 14, 2006 10:00 UTC (Thu) by nix (subscriber, #2304)Parent article: A bid to resurrect Linux capabilities
Well, a capability-based system would have no trouble keeping anything in sync with the capability masks on files, because there *is* nothing to keep in sync. The relabelling operation consists (very roughly) of tracking down the xattrs on labelled files and bringing them in sync with what's defined in the SELinux config files: no analogous operation exists if xattrs are the only storage representation, just as you don't need to wait for ages while permissions are synched with anything when you boot :)
(The interaction of all this with Samba and NFS-without-xattrs is interesting: the standard capability inheritance model is totally broken in that situation. Mind you it's quite rare to run binaries over NFS these days.)
(Log in to post comments)
A bid to resurrect Linux capabilities Posted Sep 14, 2006 11:35 UTC (Thu) by jschrod (subscriber, #1646) [Link] Mind you it's quite rare to run binaries over NFS these days.I don't agree with that opinion. A common use of NFS is to provide netwide home directories. If a user installs any program privately, or if she develops programs, executables will be run from this NFS share. And IMNSHO this scenario is not "quite rare". Cheers, Joachim
A bid to resurrect Linux capabilities Posted Sep 14, 2006 18:58 UTC (Thu) by nix (subscriber, #2304) [Link] I was thinking that it's rare compared to the number of programs installedin /usr/bin: but then if the user's compiled a program herself she's a lot more likely to run it than a given random binary in /usr/bin...
A bid to resurrect Linux capabilities Posted Sep 14, 2006 22:13 UTC (Thu) by im14u2c (subscriber, #5246) [Link] ...in which case a "default per-mount permitted capabilities" sounds useful.
|
|||||||||||