On Wed, 2008-10-29 at 15:02 -0400, Steve Grubb wrote:
We tried to support this in F-10 by having a test run with ping. We
figured
that is a simple well defined app that could be used as a test subject. We
opened bz 455713 to document the change over. Turns out that people compile
their own kernels and do not necessarily turn this on. So, what do we do in
that case?
I thought more about this.
How about a check in rc.sysinit to see if the kernel supports
capabilities?
If the check fails it could do either or both of the following:
1. Display and log nasty warning message
2. Run the command: chmod u+s `cat /etc/posixcapbinaries`
Doing 2. would be the "friendly" thing to give the user a non-broken
system. It does make it a bit more complicated because you'd want some
logic that if they booted back to a kernel with posix capabilities you
stripped the suid bits. Also, rpm verity will complain.
Dax Kelson
Guru Labs