-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/21/2010 03:50 PM, Colin Walters wrote:
On Tue, Dec 21, 2010 at 3:21 PM, Daniel J Walsh
<dwalsh(a)redhat.com> wrote:
>
> File capabilities just limit the number of capabilities an application
> starts with. setuid app means an app starts with all 32, a couple of
> new ones, capabilities. Then it is up to the app developer to drop the
> capabilities when the app is done using them. Going to file
> capabilities just limits the capabilities an application starts with to
> the specified capabilities. The application developer should still drop
> the capabilities once they no longer need them. It helps in the case of
> a bug in an application, that does not drop capabilities.
I understand the goal of getting fewer capabilities (however, I think
switching setuid to cap_sys_admin is at best pointless, at worst an
obfuscation).
But you didn't answer my question - does the scope of this plan
include a Unix mode 005 /bin, etc. or not?
No
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAk0RF50ACgkQrlYvE4MpobP4lwCgjvFcXjpCq1BdjawVQOC6uHfL
kjwAoJ9A6lAIjLnhft+mpb4n3feZjuuw
=0JZe
-----END PGP SIGNATURE-----