Hi Ted, hy others in this discussion,I think it's mostly due to the fact that there are a lot of potential security issues in using capabilities as implemented in Linux (and other POSIX systems), and unlike chroot(), it's not as easy to protect against stuff trying to bypass them while still keeping them useful. If you do a web search you can relatively easily find info on how to use many of the defined capabilities to get root-equivalent access (CAP_SYS_ADMIN and CAP_SYS_MODULE are obvious, but many of the others can be used also if you know what you are doing, for example CAP_DAC_OVERRIDE+CAP_SYS_BOOT can be used on non-SecureBoot systems to force the system to reboot into an arbitrary kernel).
Am Di den 10. Nov 2015 um 13:40 schrieb Theodore Ts'o:
Whether or not that will be acceptable upstream, I don't know, mainly
because I think a strong case can be made that such a patch has an
audience of one, and adding more complexity here for an idea which has
been time-tested over decades to be a failure is just not a good idea.
I wouldn't tell the implementation until now to be a failure. It helped
a lot to keep a system sane. It is true that all distributions ignored
capabilities completely but I don't think that is due the design.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature