On Tue, Oct 28, 2003 at 12:31:14PM -0500, Matt Zimmerman wrote: [...] > I'm actually starting to wonder whether we should have a general facility > for these sorts of things. Having apps be setuid root and expecting them to > behave responsibility is asking for trouble; it would make much more sense > to grant them only the capability that they need. I don't know whether > there is a filesystem extension to grant capabilities to binaries,
There is libcap2 which requires a kernel-patch. http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4-fcap/ > but we probably couldn't rely on it anyway. ack. Perhaps execcap(8) can be used as base for the "general facility"? cu andreas
