On 2/28/15 6:32 PM, Stephen Frost wrote: > This isn't really /etc/shadow though, this is more like direct access to > the filesystem through the device node- and you'll note that Linux > certainly has got an independent set of permissions for that called the > capabilities system. That's because messing with those pieces can crash > the kernel. You're not going to crash the kernel if you goof up > /etc/shadow.
I think this characterization is incorrect. The Linux capability system does not exist because the actions are scary or can crash the kernel. Capabilities exist because they are not attached to file system objects and can therefore not be represented using the usual permission system. Note that one can write directly to raw devices or the kernel memory through various /dev and /proc files. No "capability" protects against that. It's only the file permissions, possibly in combination with mount options. -- Sent via pgsql-hackers mailing list (firstname.lastname@example.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers