Hi! On Fri, 2015-02-20 at 11:30:02 +0100, Santiago Vila wrote: > Would it worth to have a procedure like "dpkg-capoverride" so that > whenever a package needs to change a capability, the change gets > registered somewhere other than the filesystem itself?
Yes and no. It might be more convenient, but it introduces other problems. POSIX capabilities (not to be confused with capability-based security!) are defined by a withdrawn POSIX draft spec, and the subset of POSIX capabilities specified in that draft is quite limited, the rest are Linux-specific extensions that have grown organically w/o much thought, many pretty much amount to root rights anyway. I'm not aware of any other (non-Linux) system implementing POSIX capabilities, which means that if something else got to implement them, the non-specified POSIX capabilities might not match 1:1 with the ones found in Linux. So either dpkg would need to try to map them as best as possible (if at all possible) or it would need to punt the problem to the packages, which would need to handle the differences, so it's a leaking interface no matter what. Not very enticing. Another option could be to add a new option to just preserve all xattrs on upgrade, or a specified subset, so the admin or the package could say for example to preserve «security.capabilities» if present. See #502580 for more context. Thanks, Guillem -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
