Hi!
> I am attempting to write an init replacement that is capability-smart.
> Though I'm pleased that prctl() lets me keep capabilities across a
> setreuid(), maintaining caps over execve() seems impossible to do right.
>
> I currently see a few options:
> - use the CLOEXEC-pipe hack that
I personnaly use this simple patch which allows me
to keep caps over execve(). It allows me to give a
few more rights to some trusted users, such as
kill, insmod... without risking unlink, chown or
so. I couldn't find any other way to achieve this.
If needed, I can send you the complete prog wh
I am attempting to write an init replacement that is capability-smart.
Though I'm pleased that prctl() lets me keep capabilities across a
setreuid(), maintaining caps over execve() seems impossible to do right.
I currently see a few options:
- use the CLOEXEC-pipe hack that execcap uses (
3 matches
Mail list logo