Preparing Debian for using capabilities: file ownership.
It seems that in order to take full advantage of capabilities, files should
not be owned by root. Files should be owned by a non-login user (e.g. bin).
-rwxr-xr-x 1 root root 42300 jul 29 13:26 /bin/ls*
It should be:
-rwxr-xr-x 1 bin bin 42300 jul 29 13:26 /bin/ls*
That's because root will be just another user, with its set of
capabilities, and you may like to prevent him from altering system files.
As this is a major change, we'd better start now. This will also help
people who want to implement a capabilities setup before we do...
Do you like this? Do I send a "formal proposal"?