Re: Posix file capabilities in 2.6.24rc2

[Serge E. Hallyn]

Quoting Chris Friedhoff (chris@xxxxxxxxxxxxx):
> Hello Serge,
> 
> I wanted only to express what I observed.
> 
> A "yes it should" confirms its ok.
> 
> And yes, I haven't looked into the patches and the name and commentary
> of file-capabilities-clear-fcaps-on-inode-change.patch explains this
> already.
> I'm preparing to update my page http://www.friedhoff.org/fscaps.html
> for 2.6.24, and I also want to explain what one has to take into account
> or be beware off. If I stumble about this, I think others will also
> (imho).
> 
> I have written a script to change suid binaries and servers,
> automating the examples I give on the webpage.

Cool, sounds very useful.

> In the sequence of commands I was setting fscaps and than chown the
> binary. Now with the aforementioned patch the fscaps are removed when
> I chown and the script wasn't working anymore. My point is not my
> script, it's being surprised and being a bit at a loss. Documenting
> this helps to clarify things and users to adopt this feature.
> 
> 
> The matter with "xinit:  Operation not permitted..." happens, when I
> (unprivileged user) close a from a console started X session. Similar to
> Andrew Morton'S http://lkml.org/lkml/2006/11/23/15 . The 2.6.24-rc2
> kernel has capabilties enabled but /usr/bin/xinit has no capabilities
> set. It remains the black screen with a cursor, the windowmanager is
> closed. Is this known? Is this a problem? Does anyone else observes
> this?

I'm setting up a vm to play with this.  Will look into it.

Oh, looking at a few branches, I see that the patch for bug# 9247
(on bugzilla.kernel.org) isn't in 2.6.24-rc2 yet.  Can you check
whether the following patch fixes it?

thanks,
-serge