Ryan:

I think it's probably a good idea to stick with libcap for using
capabilities. Shared library dependencies can be annoying, but I think
that insulating calling programs from the details of the kernel interface
is a good thing. (it increases the probability that, should something need
to be fixed, that it can be fixed without recompiling a bunch of
applications)

Is libcap included in modern Linux distributions? If not, it probably
should be.

On a related note, I just finished a new patch for xntpd. It addresses the
problems that Solar Designer found in my original patch, and adds an
option to chroot ntpd. The implementation is a little weird, so I don't
know what you guys will think about it. I chroot() ntpd after doing all
initialization, and fix up path names afterward, stripping off the path
prefix of the chroot jail.

Since the running xntpd only touches a few files, this approach is not too
bad.

http://www.engin.umich.edu/caen/systems/Linux/code/patches/xntp3-5.93-unpriv.patch

Thanks,

Chris Wing
wingcengin.umich.edu

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]