Inheritable file system capabilities

[Florian Weimer]

We've been looking at file system capabilities recently.

I noticed this particular instance in Fedora:

wireshark,/usr/sbin/dumpcap,"= cap_net_admin,cap_net_raw+eip"

If I understand things correctly, the "i" part is unnecessary because 
dumpcap doesn't spawn other programs (unless exploited, that is).  So 
making these capabilities non-inheritable makes sense to me.

Comments?

-- 
Florian Weimer / Red Hat Product Security Team