On Friday 12 June 2009 09:02:39 am Daniel Lezcano wrote: > As I only need the CAP_SYS_BOOT, I will define it manually in the source > code and will remove the include, that's ugly but anyway... :/ Alternately....as of today, libcap-ng is now in Fedora. It has a far simpler API and you should be able to do things in 2-3 lines of code. For example, if you wanted to use it to retain only CAP_SYS_BOOT, the code would be: capng_clear(CAPNG_SELECT_BOTH); capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_BOOT); capng_apply(CAPNG_SELECT_CAPS); You're done. If you know you application has no children, then you would want to change the last line to use CAPNG_SELECT_BOTH so that the bounding set is cleared. libcap-ng has 1 relocation and libcap has 35, so it starts up faster. Its also smaller in size and has better analysis tools. More info can be found here: http://people.redhat.com/sgrubb/libcap-ng/ I'll be setting up a Fedora 12 project in the next few days to drop privs everywhere. -Steve -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
