We've been looking at file system capabilities recently.
I noticed this particular instance in Fedora:
wireshark,/usr/sbin/dumpcap,"= cap_net_admin,cap_net_raw+eip"
If I understand things correctly, the "i" part is unnecessary because
dumpcap doesn't spawn other programs (unless exploited, that is). So
making these capabilities non-inheritable makes sense to me.
Comments?
--
Florian Weimer / Red Hat Product Security Team
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security
