| 1 |
Am 17.04.2010 23:32, schrieb Jonathan: |
| 2 |
> On Sat, 17 Apr 2010 21:45:57 +0100 |
| 3 |
> David W Noon<dwnoon@××××××××.com> wrote: |
| 4 |
> |
| 5 |
>> In fact, POSIX capabilities are a mechanism to *reduce* a program's |
| 6 |
>> permissions, not increase them. |
| 7 |
> |
| 8 |
> It's true that Linux "capabilities" are used to replace SUID and that does reduce the programs permissions. |
| 9 |
> On the other hand programs like Wine. Which no one would never run with SUID could be run with CAP_NET_RAW. |
| 10 |
> That would be a increase in permissions. Wine needs to be able to ping because some program need to use IPX[1], |
| 11 |
> Like Red Alert 2. Someone has made a patch for Red Alert 2 to use TCP/IP and I can not think of another program off the top of my head. |
| 12 |
> |
| 13 |
> That information came from "man 7 capabilities". So I guess it's all about how you look at it. |
| 14 |
> |
| 15 |
> [1] http://en.wikipedia.org/wiki/Internetwork_Packet_Exchange |
| 16 |
> |
| 17 |
|
| 18 |
Sounds a little like putting someone in prison and than telling him |
| 19 |
walking through the prison yard is increasing his freedom. |
| 20 |
|
| 21 |
kh |
Archives