> > It seems that in order to take full advantage of capabilities, files should > > not be owned by root. Files should be owned by a non-login user (e.g. bin). > > I don't believe that is true at all. Can you explain why you think that > would be advantageous? > > > That's because root will be just another user, with its set of > > capabilities, and you may like to prevent him from altering system files. > Crap, you just moved that problem to another account and gained nothing. > > As this is a major change, we'd better start now. This will also help > > people who want to implement a capabilities setup before we do... > > We can't implement capabilities now anyway, since we don't have a kernel > with a filesystem that supports them.
That's not true, capabilities can be handled with system calls. A daemon may drop all capabilities except the one needed to bind to privileged ports. But the daemon would still be ran with UID 0, and be able to modify/access any root owned file in the system. Capabilities are the future of security in Linux. Capabilities are supported in the kernel Debian is now shipping with potato. FS support will surely be one of the first things added to 2.5.
