mirror of https://github.com/mkerrisk/man-pages
capabilities.7: Further enhance the recommendation against new uses of CAP_SYS_ADMIN
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
fa50d3d48b
commit
6e9219f775
|
@ -783,8 +783,12 @@ choose
|
|||
.B CAP_SYS_ADMIN
|
||||
if you can possibly avoid it!
|
||||
A vast proportion of existing capability checks are associated
|
||||
with this capability,
|
||||
to the point where it can plausibly be called "the new root".
|
||||
with this capability (see the partial list above).
|
||||
It can plausibly be called "the new root",
|
||||
since on the one hand, it confers a wide range of powers,
|
||||
and on the other hand,
|
||||
its broad scope means that this is the capability
|
||||
that is required by many privileged programs.
|
||||
Don't make the problem worse.
|
||||
The only new features that should be associated with
|
||||
.B CAP_SYS_ADMIN
|
||||
|
|
Loading…
Reference in New Issue