From: Chuck Lever III <chuck.lever@oracle.com>
To: Bruce Fields <bfields@fieldses.org>
Cc: Theodore Ts'o <tytso@mit.edu>, battery dude <jyf007@gmail.com>,
Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>
Subject: Re: Does NFS support Linux Capabilities
Date: Fri, 9 Sep 2022 14:53:55 +0000 [thread overview]
Message-ID: <2A4AED07-2D8C-420C-9203-A2ABE9EA81E2@oracle.com> (raw)
In-Reply-To: <20220909131355.GA5674@fieldses.org>
> On Sep 9, 2022, at 9:13 AM, J. Bruce Fields <bfields@fieldses.org> wrote:
>
> On Fri, Sep 09, 2022 at 05:23:46AM -0400, Theodore Ts'o wrote:
>> On Thu, Sep 08, 2022 at 08:24:02PM +0000, Chuck Lever III wrote:
>>> Given these enormous challenges, who would be willing to pay for
>>> standardization and implementation? I'm not saying it can't or
>>> shouldn't be done, just that it would be a mighty heavy lift.
>>> But maybe other folks on the Cc: list have ideas that could
>>> make this easier than I believe it to be.
>>
>> ... and this is why the C2 by '92 initiative was doomed to failure,
>> and why Posix.1e never completed the standardization process. :-)
>>
>> Honestly, capabilities are super coarse-grained, and I'm not sure they
>> are all that useful if we were create blank slate requirements for a
>> modern high-security system. So I'm not convinced the costs are
>> sufficient to balance the benefits.
>
> I seem to recall the immediate practical problem people have hit is that
> some rpms will fail if it can't set file capabilities.
Indeed, that is the most common reason for a request to implement
capabilities for NFS files.
> So in practice NFS may not work any more for root filesystems.
"may not work any more" -- well let's be precise. NFS works for root,
but doesn't support distributions that require file capabilities on
certain executables. Thus it cannot be used in those cases.
> Maybe there's some workaround.
The workaround I'm familiar with is to use a local filesystem that
implements extended attributes, but store it on network-attached
block storage (eg iSCSI).
> Taking a quick look at my laptop, there's not as many as I expected:
>
> [root@parkour bfields]# getcap -r /usr
> /usr/bin/arping cap_net_raw=p
> /usr/bin/clockdiff cap_net_raw=p
> /usr/bin/dumpcap cap_net_admin,cap_net_raw=ep
> /usr/bin/newgidmap cap_setgid=ep
> /usr/bin/newuidmap cap_setuid=ep
> /usr/sbin/mtr-packet cap_net_raw=ep
> /usr/sbin/suexec cap_setgid,cap_setuid=ep
Yep, it's still a short list.
--
Chuck Lever
next prev parent reply other threads:[~2022-09-09 14:55 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAMBbDaF2Ni0gMRKNeFTQwgAOPPYy7RLXYwDJyZ1edq=tfATFzw@mail.gmail.com>
2022-09-08 20:24 ` Does NFS support Linux Capabilities Chuck Lever III
2022-09-08 21:03 ` Jeff Layton
2022-09-08 21:17 ` Chuck Lever III
2022-09-08 21:28 ` Jeff Layton
[not found] ` <CAMBbDaEYWfcuf0bZkCFxaK=9zFVCuvMn1rtHcoP+axcF6BGtcA@mail.gmail.com>
2022-09-08 22:21 ` Jeff Layton
2022-09-09 9:23 ` Theodore Ts'o
2022-09-09 13:13 ` J. Bruce Fields
2022-09-09 14:53 ` Chuck Lever III [this message]
2022-09-09 15:59 ` Casey Schaufler
2022-09-10 22:15 ` battery dude
2022-09-11 10:00 ` Theodore Ts'o
2022-09-12 4:03 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2A4AED07-2D8C-420C-9203-A2ABE9EA81E2@oracle.com \
--to=chuck.lever@oracle.com \
--cc=bfields@fieldses.org \
--cc=jyf007@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).