Hello All,

linux-2.6.24 supports file based capabilities via:
CONFIG_SECURITY_FILE_CAPABILITIES

This enables the use of filesystem attributes in order to store per
executable capabilities list, more information at [1].

This enables improved security level for people who don't wish to move
into SELinux or similar.

I think a new global USE flags (or use current caps) may enable
ebuilds to set correct capabilities on files.

On my system at least: ping, ping6, tcpdump, wireshark, samba, ntpd,
rlogin, vmware may enjoy this and drop the root suid.

In order to make it simple for everybody, a new eclass may be
introduced to force dependency on >=libcap-2 and provide some atoms.

This will provide more secured installation for users with a little
effort, less usage of root user.

What do you think?

Alon.

[1] http://www.friedhoff.org/fscaps.html
-- 
gentoo-dev@lists.gentoo.org mailing list

Reply via email to