No subject
Fri Feb 24 02:21:12 GMT 2006
than to have a program such as login be required to have a bunch
of capabilities that it does not need to do it's own work just
so that it can pass them along should the child require/desire them.
Yes, CAP_SETPCAP is a LOT of privilege. Without it, however, login
and su require many capabilities they don't need otherwise. It's
better to have the ability to violate a particular policy than
to require a process to run with capabilities it does not actually
need.
--
Casey Schaufler voice: (650) 933-1634
casey at sgi.com fax: (650) 933-0170
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list