Posted Nov 2, 2007 1:43 UTC (Fri) by dvdeug (subscriber, #10998)
Parent article: Fixing CAP_SETPCAP
I don't understand why the inheritance bits make things much safer. If login doesn't have a
capability, but its children do, a crack of login can just run a program with the needed
capability. It's an extra hoop to jump through, but I don't see where it adds much.