Different CapBnd with libcap-ng #982
Labels
Comments
|
At a glance this difference does not immediately look out of place: if it was practicable to drop as many privileges without the library, it would likely be already done without the library. Of course, it would take a longer look into the documentation to tell with confidence. |
|
@infrastation Hi, thanks, so do I understand this correctly, that the situation with libcap-ng is actually better because more privileges are dropped and that is desirable? |
|
That's my understanding, although I cannot recall a use case that would require me to flex or to verify individual capabilities. @msekletar added support for libcap-ng 10 years ago in commit 19bb00a, it was refined a number of times since then. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Probably not a bug, I just wanted to ask this question. Having libcap-ng when building tcpdump means that when privileges are dropped, CapBnd are different than when libcap-ng is not in the system. Basically when using just initgroups and setgid and setuid, CapBnd are 000001ffffffffff, with libcap-ng are all zeroed out.
I am not sure whether I should expect both cases to have the same CapBnd or is it just that without libcap-ng it is much more complicated to drop the Bnd?
Thanks,
Michal
The text was updated successfully, but these errors were encountered: