LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity

capabilities.7: Further enhance the recommendation against new uses of CAP_SYS_ADMIN 

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk 2016-12-20 09:48:14 +01:00
parent fa50d3d48b
commit 6e9219f775
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
man7/capabilities.7
View File

@ -783,8 +783,12 @@ choose
.B CAP_SYS_ADMIN
if you can possibly avoid it!
A vast proportion of existing capability checks are associated
with this capability,
to the point where it can plausibly be called "the new root".
with this capability (see the partial list above).
It can plausibly be called "the new root",
since on the one hand, it confers a wide range of powers,
and on the other hand,
its broad scope means that this is the capability
that is required by many privileged programs.
Don't make the problem worse.
The only new features that should be associated with
.B CAP_SYS_ADMIN