Re: xdg-app without setuid

From: Alexander Larsson <alexl redhat com>
To: gnome-os-list gnome org
Subject: Re: xdg-app without setuid
Date: Fri, 29 May 2015 10:48:52 +0200

On tor, 2015-05-28 at 22:31 +0200, Alexander Larsson wrote:

I just pushed some changes to make xdg-app use user namespaces, which
means it does not require any elevated permissions like setuid or
setcap.

I need to do some more testing on it to make sure nothing broke, but it
seems to work for me.

However, there is an issue with some 4.0.x kernels, where it causes a
panic. For fedora this is fixed in the 4.0.4-302 kernel (and it works
with previous 3.19 kernels). If you want to test this, make sure you
have a new enough or old enough kernel.


I added back the old setuid implementation if you pass --disable-userns
to configure, since some old distros don't have user namespaces.
However, my recommendation is for everyone that can to use the user
namespace implementation, it is less risky as there are no increased
privileges needed.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
       alexl redhat com            alexander larsson gmail com 
He's a deeply religious crooked vampire hunter who dotes on his loving 
old ma. She's a mentally unstable red-headed research scientist with a 
song in her heart and a spring in her step. They fight crime!

Follow-Ups:
- Re: xdg-app without setuid
  - From: Kenton Varda

References:
- xdg-app without setuid
  - From: Alexander Larsson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]