group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1615610] Re: Add support for capability-based permissions

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Michael Hudson-Doyle <michael.hudson+lp@xxxxxxxxxxxxx>
Date: Wed, 21 Sep 2016 03:48:34 -0000
Reply-to: Bug 1615610 <1615610@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: snap-confine (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: snap-confine (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: snap-confine (Ubuntu)
       Status: New => Fix Released

** Changed in: snap-confine (Ubuntu Xenial)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1615610

Title:
  Add support for capability-based permissions

Status in Snappy Launcher:
  Fix Released
Status in snap-confine package in Ubuntu:
  Fix Released
Status in snap-confine source package in Xenial:
  In Progress

Bug description:
  [Impact]

  snap-confine relies on being a setuid root executable to perform
  privileged operations. This bug is about using linux capabilities
  stored in extended filesysystem attributes. The patch was essentially
  moved from the Fedora package where it was crated to the mainline
  branch. It consists of a build-time decision that does the required
  build system changes.

  [Test Case]

  snap-confine can be used as a non-setuid root executable (e.g. using
  the current code in the fedora package from which this patch
  originates)

  [Regression Potential]

  This change does not affect the Ubuntu package.

  [Other Info]

  * This bug is a part of a major SRU that brings snap-confine in Ubuntu
  16.04 in line with the current upstream release 1.0.41.

  * snap-confine is technically an integral part of snapd which has an
  SRU exception and is allowed to introduce new features and take
  advantage of accelerated procedure. For more information see
  https://wiki.ubuntu.com/SnapdUpdates

  == # Pre-SRU bug description follows # ==

  Fedora has moved away from setuid executables and instead relies on
  extended attributes to grant additional permissions to applications
  that require this.

  The 1.0.39 release has been patched in Fedora to use CAP_SYS_ADMIN
  instead of the setuid bit without (so far) any adverse effects. This
  patch should be a compile-time option.

To manage notifications about this bug go to:
https://bugs.launchpad.net/snap-confine/+bug/1615610/+subscriptions