FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 05-20-2012, 09:35 PM
Alex Efros
 
Default xattr/acl/cap

Hi!

I'm not sure is this right place to ask…

What is current status for filesystem's xattr, acl and caps?

I'm usually keep all of this disabled in kernel, because I don't use them
and wanna avoid needless complexity. But today consolekit (which I don't
use, but which is installed anyway as someone's dependency) asked me to
enable CONFIG_TMPFS_POSIX_ACL. And I decide to check all this crap once again.

I may be wrong here, but after glance look at it I got this impression:

XATTR
Needed only if you use ACL or CAPS (or wanna play with custom file
attributes).
ACL
Not sure about consolekit requirement above, but otherwise it looks
useless (if you don't need to use complicated file permissions).
CAPS
Looks promising, it's always good to remove suid bit, BUT:
a) looks like only app which uses it now on my workstation is
wireshark, even /bin/ping is still installed suid
b) pam_cap.so doesn't used by default (not sure why) so you can't change
user's default capabilities using /etc/security/capability.conf

So, until most/all suid apps in portage get CAPS support for me it looks
like it's better to switch off all these things.

--
WBR, Alex.
 
Old 05-20-2012, 10:45 PM
Michael Orlitzky
 
Default xattr/acl/cap

On 05/20/2012 05:35 PM, Alex Efros wrote:
> Hi!
>
> ACL
> Not sure about consolekit requirement above, but otherwise it looks
> useless (if you don't need to use complicated file permissions).

ACLs are actually very nice if you can get over the initial hurdle of
figuring out how they work. They're a lot like permissions on Windows,
except there's a highly confusing mask entry and umask plays into it...

Anyway, a lot of the time with the standard unix permissions you're
forced to give access to some people who don't need it. ACLs make it
possible to do things right.
 
Old 05-20-2012, 10:46 PM
"Anthony G. Basile"
 
Default xattr/acl/cap

On 05/20/2012 05:35 PM, Alex Efros wrote:

Hi!

I'm not sure is this right place to ask…


Oh no! You committed a grave sin asking here ... j/k You can always
ask and if we don't know then we'll redirect.




What is current status for filesystem's xattr, acl and caps?


Working on it but progress is slow in gentoo. The biggest obstacles are
almost out of the way though with portage and tar both supporting xattr
now but only in ~arch.




I'm usually keep all of this disabled in kernel, because I don't use them
and wanna avoid needless complexity. But today consolekit (which I don't
use, but which is installed anyway as someone's dependency) asked me to
enable CONFIG_TMPFS_POSIX_ACL. And I decide to check all this crap once again.

I may be wrong here, but after glance look at it I got this impression:

XATTR
Needed only if you use ACL or CAPS (or wanna play with custom file
attributes).
ACL
Not sure about consolekit requirement above, but otherwise it looks
useless (if you don't need to use complicated file permissions).
CAPS
Looks promising, it's always good to remove suid bit, BUT:
a) looks like only app which uses it now on my workstation is
wireshark, even /bin/ping is still installed suid
b) pam_cap.so doesn't used by default (not sure why) so you can't change
user's default capabilities using /etc/security/capability.conf

So, until most/all suid apps in portage get CAPS support for me it looks
like it's better to switch off all these things.



Okay this is where I have to redirect you because I'm not aware of this
particular issue, ie why consolekit needs tmpfs posix acls. To be
clear, this means acl support on files that are on a tmpfs system. This
was pushed upstream by redhat that needed it for selinux. But if you're
not running a selinux system, i'm not sure why consolekit would need this.


In general though, its safe to turn on xattr/acl/caps even if you don't
use them, and in some cases, eg selinux or the new pax markings, you
must have xattr.


I don't think this answers your question but it does give you more context.


--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
 
Old 05-21-2012, 12:06 AM
Maxim Kammerer
 
Default xattr/acl/cap

On Mon, May 21, 2012 at 1:46 AM, Anthony G. Basile
<basile@opensource.dyc.edu> wrote:
> Okay this is where I have to redirect you because I'm not aware of this
> particular issue, ie why consolekit needs tmpfs posix acls.

If I am not mistaken, ConsoleKit uses ACLs to grant the currently
active user access to various /dev nodes. E.g., with ConsoleKit you
don't need to put users into "video", "audio" and "cdrom" groups
anymore (corresponding to v4l, sound, and dvd/cdrom devices), so
access permissions are more fine-grained and based on need.

--
Maxim Kammerer
Libert Linux (discussion / support: http://dee.su/liberte-contribute)
 
Old 05-21-2012, 04:34 PM
"Anthony G. Basile"
 
Default xattr/acl/cap

On 05/20/2012 08:06 PM, Maxim Kammerer wrote:

On Mon, May 21, 2012 at 1:46 AM, Anthony G. Basile
<basile@opensource.dyc.edu> wrote:

Okay this is where I have to redirect you because I'm not aware of this
particular issue, ie why consolekit needs tmpfs posix acls.


If I am not mistaken, ConsoleKit uses ACLs to grant the currently
active user access to various /dev nodes. E.g., with ConsoleKit you
don't need to put users into "video", "audio" and "cdrom" groups
anymore (corresponding to v4l, sound, and dvd/cdrom devices), so
access permissions are more fine-grained and based on need.



oh and since /dev is tmpfs, hence the need.

@original poster. turn this on, its a good thing

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
 

Thread Tools




All times are GMT. The time now is 04:52 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org