On 28/10/2014 17:14, Florian Weimer wrote: > * Alessandro Selli: > >> Florian Weimer wrote: >>> * Alessandro Selli: >>> >>>> CAP_DAC_OVERRIDE is root-equivalent only as far as the DAC is >>>> concerned. >>> This is incorrect. >> >> Is capabilities(7) man page incorrect? > >> What else does this capability allow a process to do? > > As I tried to explain, escalation to full root is possible on most > real-world systems, so this capability is not very restrictive in > practice.
On a capability-enabled system you have to escalate to get full root privileges. When you're using SUID root binaries there is no escalation to do: you already have full root privileges. -- Alessandro Selli Tel: 340.839.73.05 VOIP: sip:dhatarat...@ekiga.net Chiave firma PGP/GPG signing key: B7FD89FD -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
