root and capabilities list
cjwatson at ubuntu.com
Sun Oct 19 08:37:18 UTC 2014
On Wed, Oct 15, 2014 at 05:11:47AM +0400, ds wrote:
> Anyway, there is another part, reading the msr and cpuid. For that,
> it seems to be really beneficial, to make it available to everyone.
> So the process which needs it, can only live with limited
> CAP_SYS_RAWIO powers.
CAP_SYS_RAWIO is somewhat scary on its own, of course, because it's used
in all kinds of places. Here's a pretty good summary:
> It seem to me, that the root rights are there only because the
> capability system was introduced only a couple of years ago,
I think the more clearly-limited capabilities have slightly better
take-up in userspace than the very diffuse ones, although even then
there tend to be obstacles such as not quite all filesystems supporting
them, so in practice everyone ends up having to cope with both methods
of escalating privileges anyway.
Colin Watson [cjwatson at ubuntu.com]
More information about the Ubuntu-devel-discuss