Re: Preparing Debian for using capabilities: file ownership.

[Nicolás Lichtmaier <nick@debian.org>]

> >  That's not true, capabilities can be handled with system calls. A daemon
> > may drop all capabilities except the one needed to bind to privileged ports.
> > But the daemon would still be ran with UID 0, and be able to modify/access
> > any root owned file in the system.
> 
> Why wouldn't it also change its uid to that of daemon or nobody then? I
> assume capabilities are independent of uid?

 If you change RUID, EUID and SUID to a non-root user, all capabilities are
cleared.
 Besides, this is the way it will be done when cap. enabled filesystems
arrive.