RemoveSETUID feature (Was: Summary/Minutes from today's FESCo meeting (2010-10-26) NEW TIME!)

[Colin Walters]

2010/12/21 Miloslav Trmač <mitr at volny.cz>:

> If an attacker were controlling a process running with uid 0 and no
> capabilities at all, and /bin/sh were 0555, nothing prevents the
> attacker from chmod()ing /bin/sh to 0755 and overwriting it.  This makes
> any attempts to change the file permissions rather pointless.

Ah, of course.  That makes sense, thanks!

But it leaves me feeling pretty uncertain about the value of trying to
subset capabilities...