| View previous topic :: View next topic |
| Author |
Message |
carcajou
Apprentice
Joined: 10 Jun 2008
Posts: 248
|
 Posted: Sat Jun 11, 2022 6:50 am Post subject: caps USE flag (and general recommended USE flags question)? |
 |
|
Hi guys.
I use 17.1/nomultilib profile. Initially, I considered to make a custom profile and combine desktop/plasma profile with nomultilib one, however I gave up in the end and just use bunch of dedicated files in my package.use folder with set USE flags globally. In example:
| Code: |
$ cat /etc/portage/package.use/00kde
*/* kde plasma semantic-desktop ...
|
Anyway, during last evening's upgrade, I noticed that kde-plasma/kwin has -caps. Decided to check what it is:
| Code: |
Use Linux capabilities library to control privilege
|
No idea what it does ... However, I noticed that it is optional USE flag for many important packages, including glibc. Can someone explain me in more detail do I need it and what it does?
Also, a general question - is there a list of recommended USE flags (security wise), that are maybe not set by default profile choice, but it is good idea to have them on?
Thank you. |
|
| Back to top |
|
 |
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5293
Location: Bavaria
|
| Posted: Sat Jun 11, 2022 10:20 am Post subject: |
|
|
| kukibl wrote: | | I use 17.1/nomultilib profile. Initially, I considered to make a custom profile and combine desktop/plasma profile with nomultilib one, however I gave up in the end and just use bunch of dedicated files in my package.use folder [...] |
I quote myself from another thread =>
Before two years we had a very interesting thread. I had also No-Multilib and want KDE (plasma). I described my procedure to find out what use-flags I will need, and ... I was doing it wrong. The reason is:
You have some use-flags (e.g. "wayland") which are enabled in plasma-profile only for some packages and not central for all packages. These use-flags you will not see when doing an "emerge --info".
So, the solution is to combine two profiles together, described by @grknight here: https://forums.gentoo.org/viewtopic-p-8694188.html#8694188
Do an "emerge -uUDv @world" afterwards.
| kukibl wrote: | | No idea what it does ... However, I noticed that it is optional USE flag for many important packages, including glibc. Can someone explain me in more detail do I need it and what it does? |
Just do a
You can have "ping" with a suid-bit OR you can give "ping" needed capabilities. With this use-flag you can enable it.
| kukibl wrote: | | Also, a general question - is there a list of recommended USE flags (security wise), that are maybe not set by default profile choice, but it is good idea to have them on? |
AFAIK, no there is no list. Important use-flags for security are enabled by default (for this package); take a look on "emerge -pvD gcc" and you will see "pie", even if you dont have it enabled gloabally ... 
(If you want a more secure system I could only recommend my german installation guide here in our forum in "Deutsche Dokumentation). |
|
| Back to top |
|
|
carcajou
Apprentice
Joined: 10 Jun 2008
Posts: 248
|
| Posted: Sat Jun 11, 2022 10:20 pm Post subject: |
|
|
Done! It actually makes things much cleaner in make.conf and files inside package.use directory.
| pietinger wrote: |
You can have "ping" with a suid-bit OR you can give "ping" needed capabilities. With this use-flag you can enable it.
|
Still... I lack the knowledge to understand this.
| pietinger wrote: |
(If you want a more secure system I could only recommend my german installation guide here in our forum in "Deutsche Dokumentation). |
Will check it. Thank you very much. |
|
| Back to top |
|
|
Genone
Retired Dev
Joined: 14 Mar 2003
Posts: 9621
Location: beyond the rim
|
| Posted: Tue Jun 14, 2022 1:57 pm Post subject: |
|
|
| kukibl wrote: | | No idea what it does ... However, I noticed that it is optional USE flag for many important packages, including glibc. Can someone explain me in more detail do I need it and what it does? |
Linux capabilities allow apps that historically required root priviledges to drop those while retaining the necessary permissions to do what they need to do. The "ping" tool is the most common example: Normal users don't have the permission to send ICMP packets the way that is needed for ping to perform its function. Therefore on "classic" linux installations ping is always executed with full root permissions (due to the SUID bit). With capabilities, ping will still start with full root permissions, but then tells the kernel that it only needs the permission for the specific ICMP functionality and drop the rest for the majority of its execution. So in the case that an attacker manages to use ping as an attack vector, he is unlikely to get full root access that way.
| Quote: | | Also, a general question - is there a list of recommended USE flags (security wise), that are maybe not set by default profile choice, but it is good idea to have them on? |
In general don't change stuff you don't understand. When things aren't enabled by default, there is usually a reason for that.
And this goes esp. for security-related things. Stuff like selinux for example may sound great when you briefly read about it, but can be an absolute pain to setup and render your system completely unusable when not configured correctly. In other cases a poorly configured security feature may even weaken your security. |
|
| Back to top |
|
|
carcajou
Apprentice
Joined: 10 Jun 2008
Posts: 248
|
| Posted: Tue Jun 14, 2022 8:46 pm Post subject: |
|
|
| Genone wrote: |
Linux capabilities allow apps that historically required root priviledges to drop those while retaining the necessary permissions to do what they need to do. The "ping" tool is the most common example: Normal users don't have the permission to send ICMP packets the way that is needed for ping to perform its function. Therefore on "classic" linux installations ping is always executed with full root permissions (due to the SUID bit). With capabilities, ping will still start with full root permissions, but then tells the kernel that it only needs the permission for the specific ICMP functionality and drop the rest for the majority of its execution. So in the case that an attacker manages to use ping as an attack vector, he is unlikely to get full root access that way.
|
Wow Genone, that makes it perfectly clear. Thank you, I appreciate it.
| Genone wrote: |
In general don't change stuff you don't understand. When things aren't enabled by default, there is usually a reason for that.
|
Considering I used nomultilib profile as my default one, I always had concern that I'm missing something important (or will miss it sooner and later). So, when I see that a new USE flag is enabled or disabled, but it is not self-explanatory what it does, I usually investigate and later disable/enable it locally for that particular package. For the "caps" I really could not figure it out by myself. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Portage & Programming
