On 17-10-03 at 19:08, Stroller wrote:
> Hello,
> 
> On my Linode VM in /etc/portage/package.use I have:
> 
>   net-misc/iputils -caps -filecaps
> 
> I have no recollection of setting these flags, but `genlop -iputils `
> gives an installation date 2 days after I signed up with Linode, which
> tends to suggest I installed the package. Or perhaps it was part of
> the original Linode Gentoo disk image, and I only updated iputils?
> 
> The USE flag descriptions are meaningless to me and so I have no idea
> why I might have set these flags, were it me who did so:
> 
>   caps - Use Linux capabilities library to control privilege
>   filecaps - Use Linux file capabilities to control privilege rather than 
> set*id (this is orthogonal to USE=caps which uses capabilities at runtime 
> e.g. lib cap)
Capabilities are a method of providing programs with more or less
specific "privileges" as an alternative to running the program as
root/suid. The "caps" useflag controls these at runtime by allowing
programs to drop capabilities that the program doesn't need so that if
something happens it has the ability to break less things. The
"filecaps" flag is the "equivalent" of the suid bit but for specific
capabilities (so instead of providing ping with suid-root you can give
it CAP_NET_RAW only).

It is almost always better to enable both of these where possible since
it helps decrease the attack surface for the programs in question.

Read capabilities(7) for more information.

-- 
Simon Thelen

Reply via email to