Hi, On Fri, Apr 03, 2015 at 01:04:15AM +0100, Justin B Rye wrote: > I'm just back from the local LUG's monthly pub meeting, which means > I'm in just the right state to detect bits that are hard to follow... Heh. (: > > Template: xastir/install-setuid > > Type: boolean > > Default: false > > _Description: Should non-superusers be able to use native AX.25 from Xastir? > > Slightly longer and more technical than the equivalent wireshark > question. I'll assume people installing Xastir should be aware what > AX.25 is, but could we perhaps drop "from Xastir"? Ok, maybe clearer would be to swap "native AX.25 from Xastir" to "native AX.25 interfaces". If you're using Xastir, then you likely do know about AX.25. The Linux kernel has built-in AX.25 support, but Xastir also allows you to use a serial connection to a radio instead of the support in the kernel (which is solved through adding users to the dialout group if they want to use serial interfaces). > > Xastir can be installed in a way that allows members of the "xastir-ax25" > > system group to use a native Linux AX.25 interface from within Xastir. This > > is recommended over the alternative of running Xastir as root, as this > > configuration will attempt to use Linux capabilities to limit the privileges > > available to Xastir to only those required. Note that if Linux capabilities > > are not available, the binary will be installed setuid. > > The main opportunity for confusion here is "this configuration". Does > that mean the xastir-ax25 setup or "the alternative"? It must be the > former, but I have to reread it to be sure. Good point. > Messing around in the hope of finding a clearer way of saying it: > > _Description: Should non-superusers be able to use native AX.25? So, suggest making this: "Should non-superusers be able to use native AX.25 interfaces?" > Xastir can be installed in a way that allows members of the "xastir-ax25" > system group to use a native Linux AX.25 interface from within Xastir. > Where available this configuration uses Linux capabilities in order to > limit the process's privileges to only those required, falling back on > installing the binary setuid where Linux capabilities are not available. I'm happy with this. > This is recommended over the alternative of running Xastir directly as > root, but enabling it may be a security risk, so it is disabled by > default. If in doubt, it is suggested to leave it disabled. Perhaps: "This is recommended over the alternative of running Xastir directly as root, but enabling it may be a security risk, so it is disabled by default. If in doubt, or if you do not intend to use native AX.25 interfaces (using a serial TNC or Internet connection instead), it is suggested to leave it disabled." Is that too long? > Mind you, it still seems strange to say that the system-group approach > is "recommended" if you're going to go on to suggest leaving it > disabled. Hopefully the extra details help to clear it up? Thanks, Iain. -- e: irl@fsfe.org w: iain.learmonth.me x: irl@jabber.fsfe.org t: EPVPN 2105 c: 2M0STB g: IO87we p: 1F72 607C 5FF2 CCD5 3F01 600D 56FF 9EA4 E984 6C49
Attachment:
pgpjH1Jw6BSJL.pgp
Description: PGP signature