Talk:Features/RemoveSETUID

From FedoraProject

Revision as of 16:41, 30 October 2010 by Fche (Talk | contribs)

Jump to: navigation, search

It would be good to add some documentation here about the existing capabilities, and how to find out which ones are needed for a concrete binary. Also, how do we deal with random runtime breakage if packagers get it wrong ? Is there some testplan ? --mclasen 19:26, 27 October 2010 (UTC)

I also would like to see the HOWTO on determining required capabilities. Peter Lemenkov 16:38, 29 October 2010 (UTC)

I dispute the comment that "user experience" would stay the same with this feature. "ls -l" does not show the capabilities, so auditing this becomes more complicated. Because of this, a sysadmin may disable capabilities entirely, leaving these no-longer-setuid programs dead.

Similarly, administrative documentation needs to be updated. Shipped tools that deal with file copy/backup/restore/verification need to be tested for capability to deal with capabilities.

A larger blurb about how this makes Fedora "more secure" would be useful. Fche 16:29, 30 October 2010 (UTC)