From: bfields@fieldses.org (J. Bruce Fields)
To: Theodore Ts'o <tytso@mit.edu>
Cc: Chuck Lever III <chuck.lever@oracle.com>,
battery dude <jyf007@gmail.com>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>
Subject: Re: Does NFS support Linux Capabilities
Date: Fri, 9 Sep 2022 09:13:55 -0400 [thread overview]
Message-ID: <20220909131355.GA5674@fieldses.org> (raw)
In-Reply-To: <YxsGIoFlKkpQdSDY@mit.edu>
On Fri, Sep 09, 2022 at 05:23:46AM -0400, Theodore Ts'o wrote:
> On Thu, Sep 08, 2022 at 08:24:02PM +0000, Chuck Lever III wrote:
> > Given these enormous challenges, who would be willing to pay for
> > standardization and implementation? I'm not saying it can't or
> > shouldn't be done, just that it would be a mighty heavy lift.
> > But maybe other folks on the Cc: list have ideas that could
> > make this easier than I believe it to be.
>
> ... and this is why the C2 by '92 initiative was doomed to failure,
> and why Posix.1e never completed the standardization process. :-)
>
> Honestly, capabilities are super coarse-grained, and I'm not sure they
> are all that useful if we were create blank slate requirements for a
> modern high-security system. So I'm not convinced the costs are
> sufficient to balance the benefits.
I seem to recall the immediate practical problem people have hit is that
some rpms will fail if it can't set file capabilities. So in practice
NFS may not work any more for root filesystems. Maybe there's some
workaround.
Taking a quick look at my laptop, there's not as many as I expected:
[root@parkour bfields]# getcap -r /usr
/usr/bin/arping cap_net_raw=p
/usr/bin/clockdiff cap_net_raw=p
/usr/bin/dumpcap cap_net_admin,cap_net_raw=ep
/usr/bin/newgidmap cap_setgid=ep
/usr/bin/newuidmap cap_setuid=ep
/usr/sbin/mtr-packet cap_net_raw=ep
/usr/sbin/suexec cap_setgid,cap_setuid=ep
--b.
next prev parent reply other threads:[~2022-09-09 13:13 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAMBbDaF2Ni0gMRKNeFTQwgAOPPYy7RLXYwDJyZ1edq=tfATFzw@mail.gmail.com>
2022-09-08 20:24 ` Does NFS support Linux Capabilities Chuck Lever III
2022-09-08 21:03 ` Jeff Layton
2022-09-08 21:17 ` Chuck Lever III
2022-09-08 21:28 ` Jeff Layton
[not found] ` <CAMBbDaEYWfcuf0bZkCFxaK=9zFVCuvMn1rtHcoP+axcF6BGtcA@mail.gmail.com>
2022-09-08 22:21 ` Jeff Layton
2022-09-09 9:23 ` Theodore Ts'o
2022-09-09 13:13 ` J. Bruce Fields [this message]
2022-09-09 14:53 ` Chuck Lever III
2022-09-09 15:59 ` Casey Schaufler
2022-09-10 22:15 ` battery dude
2022-09-11 10:00 ` Theodore Ts'o
2022-09-12 4:03 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220909131355.GA5674@fieldses.org \
--to=bfields@fieldses.org \
--cc=chuck.lever@oracle.com \
--cc=jyf007@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).