Sure it is. You don't think of it as one because it is normally given
to every user, but it is a privilege. Opening a network connection is
a privilege. Debugging your own process is a privilege.
It would be very good to take away the right to exec() privileged
executables, so that a cracker with a shell could not attack buggy
privileged executables in the normal manner.
> I would believe that eventually you would want to convert all uid 0
> checks in the kernel to capabilities checks. Then if you've compiled
> the kernel with out capabilities enabled, you'd dummy up the
> effective, permitted and inheritable sets for all uid 0 processes to
> have ALL privileges in it, and all other normal users have NONE in
> their process capability sets. If it is enabled then you perform the
> normal capabilities calculations whenever a process is exec()'ed. Is
> this the plan Linus?
This is what Linux 2.2 already does, except that all users get a full
set of inheritable bits.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/