Inheritable file system capabilities
Florian Weimer
fweimer at redhat.com
Thu Oct 10 07:46:30 UTC 2013
We've been looking at file system capabilities recently.
I noticed this particular instance in Fedora:
wireshark,/usr/sbin/dumpcap,"= cap_net_admin,cap_net_raw+eip"
If I understand things correctly, the "i" part is unnecessary because
dumpcap doesn't spawn other programs (unless exploited, that is). So
making these capabilities non-inheritable makes sense to me.
Comments?
--
Florian Weimer / Red Hat Product Security Team
More information about the security
mailing list