[Rpm-maint] ACL and File Capability Support in RPM
Andrew G. Morgan
morgan at kernel.org
Sun Oct 26 04:57:50 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Panu Matilainen wrote:
> I'm ok with adding the functionality they provide, but I think we should
> use libcap and libacl instead of looking at the extended attributes
> directly. libacl and libcap provide a portable interfaces (POSIX drafts)
> to the features whereas extended attributes are basically just an
> Linux/filesystem specific implementation detail (AFAIK).
If I was familiar with how rpm tracks files and meta-data, I'd be happy
to supply a libcap using patch for the rpm code. However, I'm not at all
up to speed on the rpm source code.
What was easy though was to add a '-v' option to libcap's (2.14) setcap
utility. You can use it to verify that the capabilities on a file are
what you expect them to be:
Set the capability:
$ sudo ./setcap cap_setfcap=i setcap
Verify the capability:
$ ./setcap -v cap_setfcap=i setcap
setcap: OK
$
The source code change was pretty trivial.
http://git.kernel.org/?p=libs/libcap/libcap.git;a=blobdiff;f=progs/setcap.c;h=65a1cb49438d1dd7991bd306b40460fe3d0b35ea;hp=0501a9d95665a3ac388cbc164f6a8ca1011693a7;hb=9da338a75b5ae27e3f4226d214977a921d644e60;hpb=9f2e7c5245fc3100ed08d8a133f80afd88e81632
Basically:
cap_t ref = cap_from_text(text_for_reference_caps);
cap_t actual = cap_get_file(filename);
if (actual == NULL) {
/* assuming you want to treat no file caps as
equivalent to "set as empty", this may or may
not be appropriate for a package manager. */
actual = cap_from_text("=");
}
if (cap_compare(actual, ref) == 0) {
// they are the same
} else {
// not same
}
cap_free(ref);
cap_free(actual);
Hope that helps
Cheers
Andrew
PS: http://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFJA/jKQheEq9QabfIRAj7hAJ9wJFpYRFkkpCBHik1vV3b03kxByQCfRIk6
gaBpcACVGWodlS8dfUc8Li4=
=QInA
-----END PGP SIGNATURE-----
More information about the Rpm-maint
mailing list