On Tue, 27 Mar 2018 17:24:19 +0100 Luca Boccassi <bl...@debian.org> wrote:
> ip vrf exec requires root or CAP_NET_ADMIN, CAP_SYS_ADMIN and > CAP_DAC_OVERRIDE. It is not possible to run unprivileged commands like > ping as non-root or non-cap-enabled due to this requirement. > To allow users and administrators to safely add the required > capabilities to the binary, drop all capabilities on start if not > invoked with "vrf exec". > Update the manpage with the requirements. > > Signed-off-by: Luca Boccassi <bl...@debian.org> Gets a little messy, but don't have a better answer. When a command like iproute gets involved in security policy things I become concerned that it may have unexpected consequences.
