CAP_SYS_ADMIN: the new root
Posted Mar 14, 2012 17:56 UTC (Wed) by JoeBuck
Parent article: CAP_SYS_ADMIN: the new root
Suggestion: determine which capabilities are "as good as root" and either eliminate those capabilities or eliminate the ability for a program with that capability to obtain all the others. Programs that previously relied on eliminated capabilities would then have to run as root.
To do otherwise gives a false sense of security and just adds complexity.
to post comments)