Re: Using capabilities for libpcap apps

2010-04-07 Thread Serge E. Hallyn 
Quoting Miroslav Lichvar (mlich...@redhat.com):
 On Tue, Apr 06, 2010 at 10:47:22PM +0200, Radek Vokál wrote:
  Hi all,
  
I need few suggestions about this .. 
  https://blog.wireshark.org/2010/02/running-wireshark-as-you/ .. Gerald 
  Combs, the upstream maintainer of wireshark, suggests to use 
  capabilities instead of consolehelper+root privileges for 
  dumpcap/wireshark. It makes whole lot of sense, so I've looked if other 
  apps in Fedora are already using it and I haven't found any. Honestly 
  I'm not sure about right way to use them. The idea is to add something 
  like following to %post
  
  # groupadd -g wireshark
  # chgrp wireshark /usr/bin/dumpcap
  # setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
  # setcap cap_net_raw,cap_net_admin+eip /usr/bin/tshark
 
 This is useful to avoid having setuid binary, but how will regular
 users get access to the wireshark group? Maybe through policykit?

The originally quoted URL also says:

# groupadd -g wireshark
# usermod -a -G wireshark gerald

-serge
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: RFC: Remove write permissions from executables

2010-01-28 Thread Serge E. Hallyn 
Quoting Richard Zidlicky (r...@linux-m68k.org):
 On Wed, Jan 27, 2010 at 11:11:41AM -0600, Serge E. Hallyn wrote:
 
   All in all I think it's a shame that the original proposal didn't work
   out at this time. Having binaries owned by bin:bin does have Unix (but
   not Linux AFAIK) tradition behind it.
  
  And remounting ro doesn't let a task with CAP_DAC_OVERRIDE write.
 
 read only fs is not necessarilly a normal fs thats mounted ro. rpm could have
 a hook to do whatever is necessary, it is just one program that needs 
 modified.
 Relying on do CAP_DAC_OVERRIDE has imho more potential for breakage and 
 provides
 less protection.

Oh, right, this is for /bin and /sbin only isn't it - so ro fs could
be good.  I was thinking about /etc, which I guess isn't being considered
yet.

-serge
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel