On Tue, Dec 21, 2010 at 3:21 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > > File capabilities just limit the number of capabilities an application > starts with. Âsetuid app means an app starts with all 32, a couple of > new ones, capabilities. ÂThen it is up to the app developer to drop the > capabilities when the app is done using them. ÂGoing to file > capabilities just limits the capabilities an application starts with to > the specified capabilities. ÂThe application developer should still drop > the capabilities once they no longer need them. ÂIt helps in the case of > a bug in an application, that does not drop capabilities. I understand the goal of getting fewer capabilities (however, I think switching setuid to cap_sys_admin is at best pointless, at worst an obfuscation). But you didn't answer my question - does the scope of this plan include a Unix mode 005 /bin, etc. or not? -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
