Posted May 11, 2011 19:59 UTC (Wed) by Baylink (subscriber, #755)
Parent article: Expanding seccomp
Well, this is all good cheese... but as someone who's spent the larger part of my career as a sysadmin rather than a programmer... *I can't see into it*.
SUID is pretty easy to audit. Capabilities, though I haven't used them much, are -- so I gather -- similar to audit from the sysadmin viewpoint.
This is going to affect security *down inside the source code where I can't see it*, is it not? Now, sure, it *reduces* the things a process can do.
But from what? If this *expands* the universe of stuff I gotta audit *because it inspires people to require more capabilities than they really need, and then drop the stuff they don't want... then it's going to make sysadmins' lives harder.