1 |
On Sat, 17 Apr 2010 21:45:57 +0100 |
2 |
David W Noon <dwnoon@××××××××.com> wrote: |
3 |
|
4 |
> In fact, POSIX capabilities are a mechanism to *reduce* a program's |
5 |
> permissions, not increase them. |
6 |
|
7 |
It's true that Linux "capabilities" are used to replace SUID and that does reduce the programs permissions. |
8 |
On the other hand programs like Wine. Which no one would never run with SUID could be run with CAP_NET_RAW. |
9 |
That would be a increase in permissions. Wine needs to be able to ping because some program need to use IPX[1], |
10 |
Like Red Alert 2. Someone has made a patch for Red Alert 2 to use TCP/IP and I can not think of another program off the top of my head. |
11 |
|
12 |
That information came from "man 7 capabilities". So I guess it's all about how you look at it. |
13 |
|
14 |
[1] http://en.wikipedia.org/wiki/Internetwork_Packet_Exchange |