-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/21/2010 03:50 PM, Colin Walters wrote: > On Tue, Dec 21, 2010 at 3:21 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: >> >> File capabilities just limit the number of capabilities an application >> starts with. setuid app means an app starts with all 32, a couple of >> new ones, capabilities. Then it is up to the app developer to drop the >> capabilities when the app is done using them. Going to file >> capabilities just limits the capabilities an application starts with to >> the specified capabilities. The application developer should still drop >> the capabilities once they no longer need them. It helps in the case of >> a bug in an application, that does not drop capabilities. > > I understand the goal of getting fewer capabilities (however, I think > switching setuid to cap_sys_admin is at best pointless, at worst an > obfuscation). > > But you didn't answer my question - does the scope of this plan > include a Unix mode 005 /bin, etc. or not? No -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0RF50ACgkQrlYvE4MpobP4lwCgjvFcXjpCq1BdjawVQOC6uHfL kjwAoJ9A6lAIjLnhft+mpb4n3feZjuuw =0JZe -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
