Re: POSIX capabilities patch
On Sun, 16 Nov 2003, Marco d'Itri wrote:
> On Nov 15, Miquel van Smoorenburg <miquels@cistron.nl> wrote:
> >too early to put that into init upstream ?
> I don't know. It was a quick hack I made because I wanted to play with
> capabilities. I suppose that there is a reason if whoever designed this
> did not allow normal programs to raise capabilities.
But normal programs ARE allowed to raise capabilities, as long as they have
this capability to begin with. As the kernel stands right now (why? I have
no idea), init has to explicitly request capabilities for its children...
otherwise nothing can, since init is the 'parent' of all.
Maybe it is fear that some 'distracted' admin will lock himself outside of
root, but then, since when we accept that as an excuse for blocking
something?
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: