On Monday 03 October 2005 10:38, Stephen Smalley wrote:
It seems wrong to have to make a previously non-suid program suid
just for
the sake of adding audit functionality to it, thereby potentially exposing
the system to greater risk because of the greater privilege with which the
entire program code runs.
What I was thinking of doing was to drop capabilities on startup and leave
CAP_AUDIT_WRITE since that is all we are after. I see newrole uses pam and
that swings in a lot of code. Still, it should be safe if we drop
capabilities very early.
-Steve