On Tue, Dec 21, 2010 at 3:21 PM, Daniel J Walsh dwalsh@redhat.com wrote:
File capabilities just limit the number of capabilities an application starts with. setuid app means an app starts with all 32, a couple of new ones, capabilities. Then it is up to the app developer to drop the capabilities when the app is done using them. Going to file capabilities just limits the capabilities an application starts with to the specified capabilities. The application developer should still drop the capabilities once they no longer need them. It helps in the case of a bug in an application, that does not drop capabilities.
I understand the goal of getting fewer capabilities (however, I think switching setuid to cap_sys_admin is at best pointless, at worst an obfuscation).
But you didn't answer my question - does the scope of this plan include a Unix mode 005 /bin, etc. or not?