On Sat, 2014-01-25 at 14:32 -0500, Colin Walters wrote:
On Sat, 2014-01-25 at 10:37 -0800, Josh Stone wrote:
> Ok, sure, you can mount -o nosuid,noexec,nodev ... but this isn't the
> default for btrfs subvolume paths AFAIK. It needs to be a conscious
> decision in whatever snapshot design we choose.
This is definitely an issue with the OSTree design, since everything
shares a physical partition (you can choose whatever block storage you
want) - it's just hard links.
I just filed:
https://bugzilla.gnome.org/show_bug.cgi?id=722984
for this.
I forgot by gnome bugzilla password (again) so before I forget:
do not use .files or such it quickly becomes a mess. If you need to
annotate this kind of things I humbly suggest you add an xattr to the
file namespaced to ostree.
Alternatively, if you do not want to touch the original file at all,
keep a separate database where you note all these things, it will make
for a faster lookup in case you need bulk operations instead of having
to troll the whole tree.
But really, now that KDBus is on the way, we can start using it for
system services to replace many setuid binaries, like unix_chkpwd
without losing the auditing trail and such that old indirection via
dbus-daemon required. That's a subject for a different thread though.
This is a good point, but a number of binaries are that way for legacy
reasons, or come from upstreams that care for portability and can't rely
on dbus (yet), so I think you need to care for the problem anyway.
Simo.
--
Simo Sorce * Red Hat, Inc * New York