FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 11-01-2010, 12:44 PM
Paul Howarth
 
Default RemoveSETUID feature (Was: Summary/Minutes from today's FESCo meeting (2010-10-26) NEW TIME!)

On 29/10/10 04:15, Jason L Tibbitts III wrote:
>>>>>> "JN" == Joe Nall<joe@nall.com> writes:
>
> JN> On Oct 28, 2010, at 5:08 PM, Richard W.M. Jones wrote:
>
>>> More to the point, I can easily see the setuid bit easily on a
>>> binary.
>>> How do I tell if these strange/hidden "capabilities" are
>>> present on a binary? 'ls' doesn't mention anything.
>
> JN> getcap
>
> Interesting. That's in the libcap package, which is sort of oddly named
> because it includes executables. And of course it's multilib, but the
> binaries are arch-specific which I believe is a multilib conflict.
> Probably needs the executables split out into a libcap-tools packages.
>
> I notice that rpm supports that %caps() directive in the %files list to
> specify capabilities. I don't recall seeing that before; how long ago
> did rpm grow support for it? It looks like it came in around rpm 4.7,
> so all supported Fedora releases have it. However, I'm certain it's not
> in RHEL4 and I'm pretty sure it's not in RHEL5 either, so at least the
> EPEL folks will need to make a note of it.

I've just come across another issue with this. I use the "tmpfs" plugin
with mock usually, and it appears that tmpfs doesn't support the
necessary file capabilities, as I get these errors when setting up the
buildroot:

DEBUG util.py:267: Error unpacking rpm package
iputils-20101006-2.fc15.x86_64
DEBUG util.py:267: error: unpacking of archive failed on file
/bin/ping: cpio: cap_set_file failed - Operation not supported
DEBUG util.py:267: Error unpacking rpm package
policycoreutils-2.0.83-32.fc15.x86_64
DEBUG util.py:267: error: unpacking of archive failed on file
/usr/sbin/seunshare: cpio: cap_set_file failed - Operation not supported

If I disable the tmpfs plugin, so mock uses the ext3 filesystem I have
on /var/lib/mock, the build succeeds. So at least I have a workaround
but I'd like to have tmpfs working as it *really* improves performance.

Paul.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 11-01-2010, 02:04 PM
Daniel J Walsh
 
Default RemoveSETUID feature (Was: Summary/Minutes from today's FESCo meeting (2010-10-26) NEW TIME!)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/01/2010 09:44 AM, Paul Howarth wrote:
> On 29/10/10 04:15, Jason L Tibbitts III wrote:
>>>>>>> "JN" == Joe Nall<joe@nall.com> writes:
>>
>> JN> On Oct 28, 2010, at 5:08 PM, Richard W.M. Jones wrote:
>>
>>>> More to the point, I can easily see the setuid bit easily on a
>>>> binary.
>>>> How do I tell if these strange/hidden "capabilities" are
>>>> present on a binary? 'ls' doesn't mention anything.
>>
>> JN> getcap
>>
>> Interesting. That's in the libcap package, which is sort of oddly named
>> because it includes executables. And of course it's multilib, but the
>> binaries are arch-specific which I believe is a multilib conflict.
>> Probably needs the executables split out into a libcap-tools packages.
>>
>> I notice that rpm supports that %caps() directive in the %files list to
>> specify capabilities. I don't recall seeing that before; how long ago
>> did rpm grow support for it? It looks like it came in around rpm 4.7,
>> so all supported Fedora releases have it. However, I'm certain it's not
>> in RHEL4 and I'm pretty sure it's not in RHEL5 either, so at least the
>> EPEL folks will need to make a note of it.
>
> I've just come across another issue with this. I use the "tmpfs" plugin
> with mock usually, and it appears that tmpfs doesn't support the
> necessary file capabilities, as I get these errors when setting up the
> buildroot:
>
> DEBUG util.py:267: Error unpacking rpm package
> iputils-20101006-2.fc15.x86_64
> DEBUG util.py:267: error: unpacking of archive failed on file
> /bin/ping: cpio: cap_set_file failed - Operation not supported
> DEBUG util.py:267: Error unpacking rpm package
> policycoreutils-2.0.83-32.fc15.x86_64
> DEBUG util.py:267: error: unpacking of archive failed on file
> /usr/sbin/seunshare: cpio: cap_set_file failed - Operation not supported
>
> If I disable the tmpfs plugin, so mock uses the ext3 filesystem I have
> on /var/lib/mock, the build succeeds. So at least I have a workaround
> but I'd like to have tmpfs working as it *really* improves performance.
>
> Paul.
Paul is this because NOSUID is set on tmpfs?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzO1ukACgkQrlYvE4MpobNTRgCgvpFXeGWful 7wY1np4buMLBrc
1zEAoNIBDFDHQ9t8qoqljX9pRlACOUFS
=27qj
-----END PGP SIGNATURE-----
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 11-01-2010, 06:19 PM
Paul Howarth
 
Default RemoveSETUID feature (Was: Summary/Minutes from today's FESCo meeting (2010-10-26) NEW TIME!)

On Mon, 01 Nov 2010 11:04:09 -0400
Daniel J Walsh <dwalsh@redhat.com> wrote:
> On 11/01/2010 09:44 AM, Paul Howarth wrote:
> > On 29/10/10 04:15, Jason L Tibbitts III wrote:
> >>>>>>> "JN" == Joe Nall<joe@nall.com> writes:
> >>
> >> JN> On Oct 28, 2010, at 5:08 PM, Richard W.M. Jones wrote:
> >>
> >>>> More to the point, I can easily see the setuid bit easily on a
> >>>> binary.
> >>>> How do I tell if these strange/hidden "capabilities" are
> >>>> present on a binary? 'ls' doesn't mention anything.
> >>
> >> JN> getcap
> >>
> >> Interesting. That's in the libcap package, which is sort of oddly
> >> named because it includes executables. And of course it's
> >> multilib, but the binaries are arch-specific which I believe is a
> >> multilib conflict. Probably needs the executables split out into a
> >> libcap-tools packages.
> >>
> >> I notice that rpm supports that %caps() directive in the %files
> >> list to specify capabilities. I don't recall seeing that before;
> >> how long ago did rpm grow support for it? It looks like it came
> >> in around rpm 4.7, so all supported Fedora releases have it.
> >> However, I'm certain it's not in RHEL4 and I'm pretty sure it's
> >> not in RHEL5 either, so at least the EPEL folks will need to make
> >> a note of it.
> >
> > I've just come across another issue with this. I use the "tmpfs"
> > plugin with mock usually, and it appears that tmpfs doesn't support
> > the necessary file capabilities, as I get these errors when setting
> > up the buildroot:
> >
> > DEBUG util.py:267: Error unpacking rpm package
> > iputils-20101006-2.fc15.x86_64
> > DEBUG util.py:267: error: unpacking of archive failed on file
> > /bin/ping: cpio: cap_set_file failed - Operation not supported
> > DEBUG util.py:267: Error unpacking rpm package
> > policycoreutils-2.0.83-32.fc15.x86_64
> > DEBUG util.py:267: error: unpacking of archive failed on file
> > /usr/sbin/seunshare: cpio: cap_set_file failed - Operation not
> > supported
> >
> > If I disable the tmpfs plugin, so mock uses the ext3 filesystem I
> > have on /var/lib/mock, the build succeeds. So at least I have a
> > workaround but I'd like to have tmpfs working as it *really*
> > improves performance.
> >
> > Paul.
> Paul is this because NOSUID is set on tmpfs?

The tmpfs is set up by mock and I can't see anywhere in the mock code
that it sets nosuid. I can't tell from outside mock what options it's
using as it also uses a namespace. If I just run "mount" from within a
package build I don't get any output.

Any suggestions?

Paul.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 11-01-2010, 07:28 PM
"Richard W.M. Jones"
 
Default RemoveSETUID feature (Was: Summary/Minutes from today's FESCo meeting (2010-10-26) NEW TIME!)

On Mon, Nov 01, 2010 at 07:19:15PM +0000, Paul Howarth wrote:
> Any suggestions?

We've encountered some funny things about tmpfs before: It doesn't
support O_DIRECT at all, for example, necessitating workarounds in
libguestfs/qemu. Just speculating, but maybe it doesn't support
extended attributes, or has only partial support for them?

Rich.

--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming blog: http://rwmj.wordpress.com
Fedora now supports 80 OCaml packages (the OPEN alternative to F#)
http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 11-07-2010, 05:23 PM
Lennart Poettering
 
Default RemoveSETUID feature (Was: Summary/Minutes from today's FESCo meeting (2010-10-26) NEW TIME!)

On Mon, 01.11.10 20:28, Richard W.M. Jones (rjones@redhat.com) wrote:

>
> On Mon, Nov 01, 2010 at 07:19:15PM +0000, Paul Howarth wrote:
> > Any suggestions?
>
> We've encountered some funny things about tmpfs before: It doesn't
> support O_DIRECT at all, for example, necessitating workarounds in
> libguestfs/qemu. Just speculating, but maybe it doesn't support
> extended attributes, or has only partial support for them?

tmpfs as of now does not support user xattrs. Only SELinux labels are
supported.

Lennart

--
Lennart Poettering - Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 03:22 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org