Re: Should login managers use CapabilityBoundingSet=~CAP_SYS_PTRACE in their services ?

To: debian-devel@lists.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: Should login managers use CapabilityBoundingSet=~CAP_SYS_PTRACE in their services ?
From: Marco d'Itri <md@Linux.IT>
Date: Sun, 4 Jan 2026 18:44:13 +0100
Message-id: <[🔎] aVqm7eORGvjnSNVc@bongo.bofh.it>
In-reply-to: <[🔎] 20260104180839.7e09a537@lorenz.fritz.box>
References: <[🔎] 20260104180839.7e09a537@lorenz.fritz.box>

On Jan 04, Lorenzo <plorenzo@disroot.org> wrote:

Slim upstream added
CapabilityBoundingSet=~CAP_SYS_PTRACE
to the slim.service file, apparently to silence lintian messages [1].
This breaks some admin commands [2] in a non obvious way and so causes
surprise to users.

Indeed, this is just wrong: while sandboxing and hardening daemons isgenerally a good idea, a login manager should not restrict thecapabilities of the user's session.


--
ciao,
Marco

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Should login managers use CapabilityBoundingSet=~CAP_SYS_PTRACE in their services ?
  - From: Lorenzo <plorenzo@disroot.org>

Prev by Date: Should login managers use CapabilityBoundingSet=~CAP_SYS_PTRACE in their services ?
Next by Date: Re: Proposition: Insert Minimal Installation in Debian Linux
Previous by thread: Should login managers use CapabilityBoundingSet=~CAP_SYS_PTRACE in their services ?
Next by thread: Bug#1124653: ITP: python3-generic -- Generic programming library for Python
Index(es):
- Date
- Thread