On Tue, Nov 28, 2006 at 11:09:07AM +0200, Ilya Konstantinov wrote: > You might be able to leave some chosen capability with a non-root process > by: > 1. Starting as a root process. > 2. Eliminating all but the needed capabilities with capset(2) (or > whatever higher-level function there is -- they're undocumented on my > system) > 3. Making the system keep capabilities upon seteuid by calling > prctl(2) with PR_SET_KEEPCAPS. > 4. seteuid(2) and exec(3) your Java thing. > > I didn't actually try it, but it makes sense from the docs.
I recall several discussions on lkml concluding that it's broken. I don't recall anyone fixing it. If you (colloquial you) end up trying this, please let us know how it works out. Cheers, Muli ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
