| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Aug 2008 14:54:15 -0500 From: Serge Hallyn <serue@...ibm.com> To: linux-kernel@...r.kernel.org Cc: dhowells@...hat.com, morgan@...nel.org, agruen@...e.de, Serge Hallyn <serue@...ibm.com> Subject: [PATCH 2/2] file capabilities: turn on by default Now that file capabilities can be turned off at boot, go ahead and compile them into the kernel by default by making CONFIG_SECURITY_FILE_CAPABILITIES=y the default. Note that the boot flag no_file_caps must be specified to turn file capabilities off, as by default they are on. So the default behavior is in fact changed. Signed-off-by: Serge Hallyn <serue@...ibm.com> --- security/Kconfig | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) diff --git a/security/Kconfig b/security/Kconfig index 5592939..6fbb233 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -75,12 +75,15 @@ config SECURITY_NETWORK_XFRM config SECURITY_FILE_CAPABILITIES bool "File POSIX Capabilities" - default n + default y help This enables filesystem capabilities, allowing you to give binaries a subset of root's powers without using setuid 0. - If in doubt, answer N. + You can still boot with the no_file_caps option to disable + file capabilities. + + If in doubt, answer Y. config SECURITY_ROOTPLUG bool "Root Plug Support" -- 1.5.4.3 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists