Capabilties done right, means that normal users DO have capabilities.
Normal users have the capability to call normal syscalls like "read",
"write" and "execve".
And once you have these included in the capabilities (which normal users
and programs normally have by default), you can take them away if you
want. For example, a non-scripting webserver may not require any use of
the "execve" system call.
Oh, it's easy to get a "vector" of over 100 capabilities this way. This
might be inefficient. Thus, it would be required that we get two levels:
first level as you're thinking of it: split capabilities for what
"root" now has, and the other also splitting the "normal user"'s
capabilities (and splitting the root-kinds even further).
Roger.
-- ** R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2600998 ** *-- BitWizard writes Linux device drivers for any device you may have! --* * The Worlds Ecosystem is a stable system. Stable systems may experience * * excursions from the stable situation. We are currently in such an * * excursion: The stable situation does not include humans. *************** - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/