No subject

than to have a program such as login be required to have a bunch
of capabilities that it does not need to do it's own work just
so that it can pass them along should the child require/desire them.
Yes, CAP_SETPCAP is a LOT of privilege. Without it, however, login
and su require many capabilities they don't need otherwise. It's
better to have the ability to violate a particular policy than
to require a process to run with capabilities it does not actually
need.

-- 

Casey Schaufler                         voice: (650) 933-1634
casey at sgi.com                           fax:   (650) 933-0170
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message