CAPs

[Andrew Morgan]

"Ilmar S. Habibulin" wrote:
> While implementing cap_set_proc() function(actually it is a syscall) i've
> confused - i just do not understand who can set up capability - user, and
> who set up initial state of process capabilities? What is the initial
> state of process capabilities?
> 
> Linux has CAP_SETPCAP capability, which allows user to change any
> capability. POSIX doesn't has it. So how should i implement it?

Actually, this is an abomination that was forced on me, kicking and
screaming. Its a capability that is basically so hard to use safely it
is dangerous. If I were you, I would choose not to implement it. Its
basically turned off by default in the Linux kernel, and short of
rewriting the 'init' program, there is no way to acquire it without
fiddling with the kernel.

[The reason it is there was a misguided attempt to get something like
filesystem capabilities with out adding support to the kernel. If I ever
get the filesystem support production quality, this capability should go
away.]

Cheers

Andrew
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message