CAPs

[Andrew Morgan]

James Buster wrote:
> Linux should never have had the ability to change the capability set
> of another process. Generality is nice, but not when it's both
> dangerous and generally useless.

Agreed.

Linux's CAP_SETPCAP will go away when there is real filesystem support
for capabilities. IRIX's CAP_SETPCAP seems less of a problem - at least
you can audit which processes can benefit from it! But, it does seem at
first glance to be more of a setuid-0 residue thing. I'd like to hear
some more in depth discussion about why you need it. How does it differ
in reality from raising all forced capabilities for the login/su
programs?

Thanks

Andrew
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message