Mount notifications: fanotify and permissions
Mount notifications: fanotify and permissions
Posted Jul 6, 2024 2:24 UTC (Sat) by aaronmdjones (subscriber, #119973)In reply to: Mount notifications: fanotify and permissions by josh
Parent article: Mount notifications
CAP_DAC_READ_SEARCH doesn't mean "ignore file permissions"; that's what CAP_DAC_OVERRIDE is. CAP_DAC_READ_SEARCH is useful for backups for example, where you want to be able to read every file and traverse every directory (hence the name) but nothing else, like changing owner (CAP_CHOWN), changing permissions (CAP_FOWNER), etc. It does not grant you any modification privileges you did not already have.
Posted Jul 6, 2024 9:08 UTC (Sat)
by josh (subscriber, #17465)
[Link]
Mount notifications: fanotify and permissions
Fair enough; you're right that it only ignores read and search permissions, thank you for the correction. It's still not a permission you want to give to a random application, though. So file handles are still not useful for ordinary applications.