Bug#82473: general: Please update policy to include information on capabilities
On Mon, Jan 15, 2001 at 06:41:23PM -0600, David Starner wrote:
> First, I think this should be a bug on policy, if anywhere.
True; my mistake. Originally I intended to complain on the general lack of
capability support in most packages as well, but later refrained from it.
I don't think I have the authority to reassing the report, do I?
> IMO, it would be much better if you wrote up something on how you think
> capabilities should be handled by Debian first, since this bug isn't going
> anywhere until some who knows and uses capabilities does just that.
I'm not an expert on capabilities myself; I'd rather someone with a better
understanding of the system wrote this 'something' up.
I can merely provide you with what I consider to be the most basic
- developers of packages that contain code running as root or code run at
system startup should familiarize themselves with the capability system
- package documentation should clearly state what capabilities are required
by what part of the package in which stage of operation
- security critical software (such as daemons) should provide a mechanism
for dropping certain capabilities after they are no longer needed
- especially startup scripts need to be audited for capability issues;
basically, the fewer capabilities a startup script needs, the better
I don't think these goals can be realized in the near future, but this is
what I believe would be sensible to aim for.
Andrew Korn (Korn Andras) <email@example.com>
Finger firstname.lastname@example.org for pgp key. QOTD:
Be alert. The world needs more lerts.