Re: [PATCH] capabilites, take 2

From: Olaf Dietsche
Date: Fri May 14 2004 - 01:40:24 EST

Andy Lutomirski <luto@xxxxxxxxxxxxx> writes:

> I'm not convinced that Posix's version makes any sense. Also, there are
> apparently a number of drafts around which disagree on what the right
> rules are. (My copy, for example, matches the old rules exactly, but
> the old rules caused the sendmail problem.)

Don't confuse POSIX _semantics_ with implementation _bugs_.

> And, under Posix, what does
> the inheritable mask mean, anyway?
> Also, I don't find the posix rules to be useful (why is there an
> inheritable mask if all it does is to cause caps to be dropped on
> exec, when the user could just manually drop them?).

You can use the inheritable set, if you want to give capabilities to a
process when it's started by an already priviledged parent (e.g. a
root process), but not when it's started by a regular user.

See <> for an example.

Regards, Olaf.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at