iputils - caps and filecaps USE flags?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

iputils - caps and filecaps USE flags?

stroller-6
Hello,

On my Linode VM in /etc/portage/package.use I have:

  net-misc/iputils -caps -filecaps

I have no recollection of setting these flags, but `genlop -iputils ` gives an installation date 2 days after I signed up with Linode, which tends to suggest I installed the package. Or perhaps it was part of the original Linode Gentoo disk image, and I only updated iputils?

The USE flag descriptions are meaningless to me and so I have no idea why I might have set these flags, were it me who did so:

  caps - Use Linux capabilities library to control privilege
  filecaps - Use Linux file capabilities to control privilege rather than set*id (this is orthogonal to USE=caps which uses capabilities at runtime e.g. lib cap)

Can anyone possibly explain in simple terms what these USE flags do, and help identify what's best for me?

Thanks in advance for any suggestions,

Stroller.


Reply | Threaded
Open this post in threaded view
|

Re: iputils - caps and filecaps USE flags?

Simon Thelen-2
On 17-10-03 at 19:08, Stroller wrote:

> Hello,
>
> On my Linode VM in /etc/portage/package.use I have:
>
>   net-misc/iputils -caps -filecaps
>
> I have no recollection of setting these flags, but `genlop -iputils `
> gives an installation date 2 days after I signed up with Linode, which
> tends to suggest I installed the package. Or perhaps it was part of
> the original Linode Gentoo disk image, and I only updated iputils?
>
> The USE flag descriptions are meaningless to me and so I have no idea
> why I might have set these flags, were it me who did so:
>
>   caps - Use Linux capabilities library to control privilege
>   filecaps - Use Linux file capabilities to control privilege rather than set*id (this is orthogonal to USE=caps which uses capabilities at runtime e.g. lib cap)
Capabilities are a method of providing programs with more or less
specific "privileges" as an alternative to running the program as
root/suid. The "caps" useflag controls these at runtime by allowing
programs to drop capabilities that the program doesn't need so that if
something happens it has the ability to break less things. The
"filecaps" flag is the "equivalent" of the suid bit but for specific
capabilities (so instead of providing ping with suid-root you can give
it CAP_NET_RAW only).

It is almost always better to enable both of these where possible since
it helps decrease the attack surface for the programs in question.

Read capabilities(7) for more information.

--
Simon Thelen

Reply | Threaded
Open this post in threaded view
|

Re: iputils - caps and filecaps USE flags?

stroller-6

> On 3 Oct 2017, at 20:17, Simon Thelen <[hidden email]> wrote:
>
> It is almost always better to enable both of these where possible since
> it helps decrease the attack surface for the programs in question.

Thanks, I'll do that.

Stroller.