Re: Preparing Debian for using capabilities: file ownership.
> > It seems that in order to take full advantage of capabilities, files should
> >not be owned by root. Files should be owned by a non-login user (e.g. bin).
>
> That would not be a logical step. Right now programs such as rlogin, ssh,
> NFS etc make sure that you cannot login as root or that root rights
> get smashed. If your box is cracked somehow, it often is the case that
> people can get any userid they like _except_ root. If the system binaries
> are owned by a non-root uid, that will lower security quite significantly.
Why can't those programs be enhanced to protect the `bin' user?
Anyway, al those protections were designed with the traditional security
scheme in mind. So yes, this is a real problem, and these utilities should
be changed.
Sooner or later we'll need to address all this. I can't see why don't we
start now.
Reply to: