[Rpm-maint] ACL and File Capability Support in RPM
pmatilai at laiskiainen.org
Sat Sep 20 09:25:20 UTC 2008
On Mon, 1 Sep 2008, Andreas Gruenbacher wrote:
> Hello all,
> I am trying to get the minimal bits and pieces into place for allowing us to
> start using file capabilties.
> Currently, rpm neither supports acls nor file capabilities , and so when
> they are needed, the usual way is to set them in the %post script. This
> works, but unfortunately rpm then cannot --verify that a file has the right
> permissions and capabilities attached.
> In am not aware of any cases where acls would actually be needed for packaged
> files, so I think that we can safely leave acl support out of rpm for now. It
> would be nice to check for acls in --verify, though.
Agreed, implementing full ACL support doesn't seem necessary (at least
> With file capabilities, things are different: distributions are going to start
> using them instead of suid root binaries, and perhaps to run some daemons
> with fewer privileges. The number of packages using capabilities won't be
> huge, but sure more than a hand full.
> I believe that full capability support in rpm would be very useful. I am not
> familiar enough with the rpm codebase, and I don't think I can implement full
> file capability support efficiently.
Capability support would be useful indeed, and adding support for them
been on my mind for a while now, even if it's missing from all the 15
different TODO/roadmap/etc docs out there :)
> Nevertheless, rpm can meanwhile at least make sure in --verify that no files
> have capabilities attached. To allow turning this check off, a new %verify
> file list flag and a new --nocaps command line option seems to make sense for
> The attached two patches against (our version of) rpm-4.4.2 do the following:
> In --verify, also check for POSIX ACLs as part of the mode checks, and
> complain if any are found.
> Introduce a new "caps" %verify flag, and allocate a flag for it.
> Introduce a new --nocaps command line option.
> In --verify, also check for the presence of file capabilities, and
> complain if any are found. Use "P" as the indicator letter in the
> --verify output (in a new column).
> What do you think -- do these patches look acceptable?
I'm ok with adding the functionality they provide, but I think we should
use libcap and libacl instead of looking at the extended attributes
directly. libacl and libcap provide a portable interfaces (POSIX drafts)
to the features whereas extended attributes are basically just an
Linux/filesystem specific implementation detail (AFAIK).
- Panu -
More information about the Rpm-maint