2023-01-14 18:27 (UTC-0800), Stephen Hemminger: > DAC_OVERRIDE is like having the master key. It opens all doors > and if so, running as non-root really doesn't matter that much. > > Ideally, a finer grain permission could be used. > Recommending this to users seems wrong.
According to my tests, DAC_READ_SEARCH can be used instead of DAC_OVERRIDE. It seems slightly better, because it doesn't bypass write permission checks. Although I agree with Isaac that SYS_ADMIN is already very powerful, and remember that the final goal is to perform unrestricted DMA. Boris, Isaac, is DAC_READ_SEARCH sufficient on your systems?
