On 17-10-03 at 19:08, Stroller wrote: > Hello, > > On my Linode VM in /etc/portage/package.use I have: > > net-misc/iputils -caps -filecaps > > I have no recollection of setting these flags, but `genlop -iputils ` > gives an installation date 2 days after I signed up with Linode, which > tends to suggest I installed the package. Or perhaps it was part of > the original Linode Gentoo disk image, and I only updated iputils? > > The USE flag descriptions are meaningless to me and so I have no idea > why I might have set these flags, were it me who did so: > > caps - Use Linux capabilities library to control privilege > filecaps - Use Linux file capabilities to control privilege rather than > set*id (this is orthogonal to USE=caps which uses capabilities at runtime > e.g. lib cap) Capabilities are a method of providing programs with more or less specific "privileges" as an alternative to running the program as root/suid. The "caps" useflag controls these at runtime by allowing programs to drop capabilities that the program doesn't need so that if something happens it has the ability to break less things. The "filecaps" flag is the "equivalent" of the suid bit but for specific capabilities (so instead of providing ping with suid-root you can give it CAP_NET_RAW only).
It is almost always better to enable both of these where possible since it helps decrease the attack surface for the programs in question. Read capabilities(7) for more information. -- Simon Thelen
