I don't really see the problem. Before file capabilities, if a process required *any* extra capabilities it needed to be SUID to root. Now processes can start out with a subset of those capabilities rather than full SUID. Worst case, I would think you could simply treat any executable file with a non-empty set of file capabilities as if it were SUID.
Or are you concerned that people will add individual capabilities to programs that formerly didn't require any, where the stigma of requiring full SUID would have dissuaded them?
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds