The argument against this is that it's harder for the system
administrator to query to see what privileges a program has, and that it
allows the system administrator to configure the privileges for each
program.
The flip side of it is that most system administrators won't know how to
configure the capabilities correctly --- may Unix administrators have
problems with Unix permissions bits, for goodness sake! --- and so the
ability to be able to query the capabilities mask and set the
capabilities may be a curse, not a blessing. Also, if the selection of
which capabilities to drop are determined at configuration time rather
than compile time, it means that the programs have to be very careful
about testing how the program behaves under a very wide range of
circumstances in terms of which capabilities the program might have.
Furthermore, in reality, there are probably only a very small set of
configurations (and possibly only one) with both (a) work and (b) are
secure.
In contrast, if the program simply drops its capabilities as soon as it
starts up, then the programmer can determine exactly what set of
capabilities the program needs, and drop everything else. The reality
is that in order for any setuid program (or program with additional
capabilities/privileges) to be secure, the programmer will still need to
take care. So the programmer is in the best position of decided which
capabilities/privileges it needs, and should simply have the opportunity
to drop everything it doesn't need.
- Ted
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/