> It's long story. You can do it NOW (more or less). Capabilities like this
> are in kernel.
I know
> So what you should do is just adding fie lines to the very
> start of main() -- drop all capabilities there except of capability to bind
> to ports < 1024 ... Where to store such capability in filesystem was
BUT your executable must be started by root or be SUID. And
adapted/modified for Linux. This would mean that all deamons must do this,
and that a "humble administrator" must check the source of all of them to
see if this is correct. If the admin can see it in his filesystem, it
would be a lot easier, and more important: transparent! (This is one of
the reasons NT is often configured insecurely: You don't have an overview
of the situation)
Greetings,
Arjan van de Ven
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/