David Madore wrote: >This does not tell me, then, why CAP_SETPCAP was globally disabled by >default, nor why passing of capabilities across execve() was entirely >removed instead of being fixed.
I do not know of any good reason. Perhaps the few folks who knew enough to fix it properly didn't feel like bothering; it beats me. Messing with capabilities is scary. As far as I can tell, there never was any coherent "design" to the semantics of POSIX capabilities in Linux. It's had a little bit of a feeling of a muddle of accumulated gunk, so unless you understand it really well, it's hard to know what any changes you make are safe. This may have scared people away from fixing it "the right way". But if you're volunteering to do the analysis and figure out how to fix it, I say, sounds good to me. Then again, I'm an outsider. Perhaps someone more involved in the development and maintanence of capabilities knows something that I don't. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/