Re: Posix capabilities

From: Olaf Dietsche (
Date: Thu Oct 17 2002 - 10:36:40 EST

"Theodore Ts'o" <> writes:
> On Thu, Oct 17, 2002 at 01:02:25PM +0200, Andreas Gruenbacher wrote:
>> With capabilities the kernel ensures that
>> applications cannot exceed their capabilities.

Which is a _big_ plus.

> as compared
> to having every single individual administrator have make this
> determination by his or herself.

I don't see this. It's a distribution issue. There will be
administrators, who want to do it on their own, but those will be a

> Each additional thing which the system administrator has to do, is an
> additional thing that he/she can *get* *wrong*. System administators
> aren't stupid, just over-loaded, and often asked to administer
> something that's too complicated.

Once the distributions have taken care of this, there's nothing too
complicated left.

> Millions and millions of knobs and dials are not necessarily a good
> thing. If there is basically only one correct answer for how the
> knobs can be set up, sure, you can have a complex database for
> applications to determine what sort of capability masks they should
> have, and you can run that database against your database every night
> (otherwise, you might miss someone quietly modifying one or two
> capability masks to leave him/herself a back door).
> But why go through all that effort?

Because it's easier, than patching millions and millions of programs?

Regards, Olaf.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Wed Oct 23 2002 - 22:00:35 EST