capabilities and kmod

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Gerard Roudier: "Re: [patch] Re: spin_unlock optimization(i386)"
• Previous message: Oliver Mueschke: "Re: PROBLEM: Directory inconsistencies on Joliet-mounted CDROMs"

what is the reason to give kmod the full set of capabilities while
limiting init to the full set except CAP_SETPCAP? Users can always replace
/sbin/modprobe with a shell script which executes "/sbin/setpcaps =eip -1"
and they'll get the full set of capabilities back. Is this an oversight?
Wouldn't it be enough to grant kmod CAP_SYS_MODULE rights instead of
CAP_FULL_SET?

Cheers,

-- 
----------------------------------------------------------------------
Jochen Friedrich                          NWE Network-Engineering GmbH
                                                      Linux-Systemhaus

                                                      Wingertstr. 70/1 
6-bone: JF3-6BONE                                  D-68809 Neulussheim
e-mail: jochen@nwe.de                      voice: +49 (0) 6205 3920-59 
web:   http://www.nwe.de                   fax:   +49 (0) 6205 3920-58
----------------------------------------------------------------------


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Gerard Roudier: "Re: [patch] Re: spin_unlock optimization(i386)"
• Previous message: Oliver Mueschke: "Re: PROBLEM: Directory inconsistencies on Joliet-mounted CDROMs"