> You obviously don't understand the implications of the "effective" and the
> "allowed" capabilities masks. Your worries about being restricted to
> "subsets or supersets" of capabilities if suid isn't changed are unfounded,
> and worse, are sending people off on blind tangents. None of the suid stuff
> needs behavior modification.
There is no "allowed". I'll assume you mean the permitted set.
The effective set doesn't matter much. It can prevent some mistakes.
Exploit code can raise and lower it at will, within the confines of
the permitted set.
>From your earlier post, you seemed to have the strange idea that
capabilities would be tied to users. This is not right. It seems
that you imagine a system for which a setuid process always
gets those capabilities that would be granted to the setuid UID.
That would be very bad; the result should be independent of what
the setuid UID would normally get.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/