SUID is pretty easy to audit. Capabilities, though I haven't used them much, are -- so I gather -- similar to audit from the sysadmin viewpoint.
This is going to affect security *down inside the source code where I can't see it*, is it not? Now, sure, it *reduces* the things a process can do.
But from what? If this *expands* the universe of stuff I gotta audit *because it inspires people to require more capabilities than they really need, and then drop the stuff they don't want... then it's going to make sysadmins' lives harder.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds