Am 23.12.2011 22:52, schrieb Aaron Konstam: >>> I guess I am thick because I can't understand the explanation in the web >>> page above. An example or two might have helped. >> >> you need to understand what SETUID and CAPABILITIES are >> what examples are you expecting? these are technics >> >> http://en.wikipedia.org/wiki/Setuid >> http://kernel.org/doc/man-pages/online/pages/man7/capabilities.7.html > > Examples of a specific capability replaces a setuid. You web pages were > of more help. [harry@srv-rhsoft:~]$ getcap /bin/ping /bin/ping = cap_net_raw+ep it gets exactly the permissions it really needs with SETUID it had full root permissions from the view giving aech user/service/application the permissions which are needed but not more capabilities are finer to control giving as less permissions as possible is hardening the system in the case of mistakes (buffer overlow, not well enough sanitized inputs or whatever will happen) at maybe makes a pmerssion breakout of a application in specific cases impossible where they with SETUID would have the possibility to take over the system
Attachment:
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
