[Rpm-maint] ACL and File Capability Support in RPM

Panu Matilainen pmatilai at laiskiainen.org
Sat Sep 20 09:25:20 UTC 2008


On Mon, 1 Sep 2008, Andreas Gruenbacher wrote:

> Hello all,
>
> I am trying to get the minimal bits and pieces into place for allowing us to
> start using file capabilties.

Cool.

>
> Currently, rpm neither supports acls nor file capabilities [1], and so when
> they are needed, the usual way is to set them in the %post script. This
> works, but unfortunately rpm then cannot --verify that a file has the right
> permissions and capabilities attached.
>
> In am not aware of any cases where acls would actually be needed for packaged
> files, so I think that we can safely leave acl support out of rpm for now. It
> would be nice to check for acls in --verify, though.

Agreed, implementing full ACL support doesn't seem necessary (at least 
yet).

>
> With file capabilities, things are different: distributions are going to start
> using them instead of suid root binaries, and perhaps to run some daemons
> with fewer privileges. The number of packages using capabilities won't be
> huge, but sure more than a hand full.
>
> I believe that full capability support in rpm would be very useful. I am not
> familiar enough with the rpm codebase, and I don't think I can implement full
> file capability support efficiently.

Capability support would be useful indeed, and adding support for them 
been on my mind for a while now, even if it's missing from all the 15 
different TODO/roadmap/etc docs out there :)

> Nevertheless, rpm can meanwhile at least make sure in --verify that no files
> have capabilities attached. To allow turning this check off, a new %verify
> file list flag and a new --nocaps command line option seems to make sense for
> me.
>
>
> The attached two patches against (our version of) rpm-4.4.2 do the following:
>
>  verify-acls.diff
>
>    In --verify, also check for POSIX ACLs as part of the mode checks, and
>    complain if any are found.
>
>  verify-file-capabilities.diff
>
>    Introduce a new "caps" %verify flag, and allocate a flag for it.
>    Introduce a new --nocaps command line option.
>    In --verify, also check for the presence of file capabilities, and
>    complain if any are found. Use "P" as the indicator letter in the
>    --verify output (in a new column).
>
>
> What do you think -- do these patches look acceptable?

I'm ok with adding the functionality they provide, but I think we should 
use libcap and libacl instead of looking at the extended attributes 
directly. libacl and libcap provide a portable interfaces (POSIX drafts) 
to the features whereas extended attributes are basically just an 
Linux/filesystem specific implementation detail (AFAIK).

 	- Panu -



More information about the Rpm-maint mailing list