No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
It would be good to add some documentation here about the existing capabilities, and how to find out which ones are needed for a concrete binary. Also, how do we deal with random runtime breakage if packagers get it wrong ? Is there some testplan ? --[[User:Mclasen|mclasen]] 19:26, 27 October 2010 (UTC) | It would be good to add some documentation here about the existing capabilities, and how to find out which ones are needed for a concrete binary. Also, how do we deal with random runtime breakage if packagers get it wrong ? Is there some testplan ? --[[User:Mclasen|mclasen]] 19:26, 27 October 2010 (UTC) | ||
: I also would like to see the HOWTO on determining required capabilities. [[User:Peter|Peter Lemenkov]] 16:38, 29 October 2010 (UTC) | : I also would like to see the HOWTO on determining required capabilities. [[User:Peter|Peter Lemenkov]] 16:38, 29 October 2010 (UTC) | ||
---- | |||
I dispute the comment that "user experience" would stay the same with this feature. | I dispute the comment that "user experience" would stay the same with this feature. | ||
| Line 6: | Line 8: | ||
Because of this, a sysadmin may disable capabilities entirely, leaving these no-longer-setuid | Because of this, a sysadmin may disable capabilities entirely, leaving these no-longer-setuid | ||
programs dead. | programs dead. | ||
Similarly, administrative documentation needs to be updated. Shipped tools that deal with file copy/backup/restore/verification need to be tested for capability to deal with capabilities. | |||
A larger blurb about how this makes Fedora "more secure" would be useful. | |||
[[User:Fche|Fche]] 16:29, 30 October 2010 (UTC) | [[User:Fche|Fche]] 16:29, 30 October 2010 (UTC) | ||
Revision as of 16:41, 30 October 2010
It would be good to add some documentation here about the existing capabilities, and how to find out which ones are needed for a concrete binary. Also, how do we deal with random runtime breakage if packagers get it wrong ? Is there some testplan ? --mclasen 19:26, 27 October 2010 (UTC)
- I also would like to see the HOWTO on determining required capabilities. Peter Lemenkov 16:38, 29 October 2010 (UTC)
I dispute the comment that "user experience" would stay the same with this feature. "ls -l" does not show the capabilities, so auditing this becomes more complicated. Because of this, a sysadmin may disable capabilities entirely, leaving these no-longer-setuid programs dead.
Similarly, administrative documentation needs to be updated. Shipped tools that deal with file copy/backup/restore/verification need to be tested for capability to deal with capabilities.
A larger blurb about how this makes Fedora "more secure" would be useful. Fche 16:29, 30 October 2010 (UTC)