RemoveSETUID feature (Was: Summary/Minutes from today's FESCo meeting (2010-10-26) NEW TIME!)

Paul Howarth paul at city-fan.org
Mon Nov 1 19:19:15 UTC 2010 

On Mon, 01 Nov 2010 11:04:09 -0400
Daniel J Walsh <dwalsh at redhat.com> wrote:
> On 11/01/2010 09:44 AM, Paul Howarth wrote:
> > On 29/10/10 04:15, Jason L Tibbitts III wrote:
> >>>>>>> "JN" == Joe Nall<joe at nall.com>  writes:
> >>
> >> JN>  On Oct 28, 2010, at 5:08 PM, Richard W.M. Jones wrote:
> >>
> >>>> More to the point, I can easily see the setuid bit easily on a
> >>>> binary.
> >>>> How do I tell if these strange/hidden "capabilities" are
> >>>> present on a binary?  'ls' doesn't mention anything.
> >>
> >> JN>  getcap
> >>
> >> Interesting.  That's in the libcap package, which is sort of oddly
> >> named because it includes executables.  And of course it's
> >> multilib, but the binaries are arch-specific which I believe is a
> >> multilib conflict. Probably needs the executables split out into a
> >> libcap-tools packages.
> >>
> >> I notice that rpm supports that %caps() directive in the %files
> >> list to specify capabilities.  I don't recall seeing that before;
> >> how long ago did rpm grow support for it?  It looks like it came
> >> in around rpm 4.7, so all supported Fedora releases have it.
> >> However, I'm certain it's not in RHEL4 and I'm pretty sure it's
> >> not in RHEL5 either, so at least the EPEL folks will need to make
> >> a note of it.
> > 
> > I've just come across another issue with this. I use the "tmpfs"
> > plugin with mock usually, and it appears that tmpfs doesn't support
> > the necessary file capabilities, as I get these errors when setting
> > up the buildroot:
> > 
> > DEBUG util.py:267:  Error unpacking rpm package 
> > iputils-20101006-2.fc15.x86_64
> > DEBUG util.py:267:  error: unpacking of archive failed on file 
> > /bin/ping: cpio: cap_set_file failed - Operation not supported
> > DEBUG util.py:267:  Error unpacking rpm package 
> > policycoreutils-2.0.83-32.fc15.x86_64
> > DEBUG util.py:267:  error: unpacking of archive failed on file 
> > /usr/sbin/seunshare: cpio: cap_set_file failed - Operation not
> > supported
> > 
> > If I disable the tmpfs plugin, so mock uses the ext3 filesystem I
> > have on /var/lib/mock, the build succeeds. So at least I have a
> > workaround but I'd like to have tmpfs working as it *really*
> > improves performance.
> > 
> > Paul.
> Paul is this because NOSUID is set on tmpfs?

The tmpfs is set up by mock and I can't see anywhere in the mock code
that it sets nosuid. I can't tell from outside mock what options it's
using as it also uses a namespace. If I just run "mount" from within a
package build I don't get any output.

Any suggestions?

Paul.

More information about the devel mailing list