Does NFS support Linux Capabilities

J. Bruce Fields bfields at fieldses.org
Fri Sep 9 13:13:55 UTC 2022


On Fri, Sep 09, 2022 at 05:23:46AM -0400, Theodore Ts'o wrote:
> On Thu, Sep 08, 2022 at 08:24:02PM +0000, Chuck Lever III wrote:
> > Given these enormous challenges, who would be willing to pay for
> > standardization and implementation? I'm not saying it can't or
> > shouldn't be done, just that it would be a mighty heavy lift.
> > But maybe other folks on the Cc: list have ideas that could
> > make this easier than I believe it to be.
> 
> ... and this is why the C2 by '92 initiative was doomed to failure,
> and why Posix.1e never completed the standardization process.  :-)
> 
> Honestly, capabilities are super coarse-grained, and I'm not sure they
> are all that useful if we were create blank slate requirements for a
> modern high-security system.  So I'm not convinced the costs are
> sufficient to balance the benefits.

I seem to recall the immediate practical problem people have hit is that
some rpms will fail if it can't set file capabilities.  So in practice
NFS may not work any more for root filesystems.  Maybe there's some
workaround.

Taking a quick look at my laptop, there's not as many as I expected:

[root at parkour bfields]# getcap -r /usr
/usr/bin/arping cap_net_raw=p
/usr/bin/clockdiff cap_net_raw=p
/usr/bin/dumpcap cap_net_admin,cap_net_raw=ep
/usr/bin/newgidmap cap_setgid=ep
/usr/bin/newuidmap cap_setuid=ep
/usr/sbin/mtr-packet cap_net_raw=ep
/usr/sbin/suexec cap_setgid,cap_setuid=ep

--b.



More information about the Linux-security-module-archive mailing list