Nicolas Williams wrote: >>> What applications would drop these basic privileges? >> any application that should never do any networking, believe it or not > ^^^^^ >> there are some :-) We even have some customers who have understood >> basic privileges well enough to request this! > > Strong word, that.
Yes and it is only in those cases that you should drop the network privileges! > I think applications like ssh-agent qualify (ssh-agent only after it's > setup its local IPC listener). But it helps that you can be reasonably > certain that no library paths will be doing networking. Thats exactly the type of case I'm looking at. In many ways this isn't actually any different to having the ability to drop proc_fork and proc_exec. Yes there are library calls that fork and exec ! -- Darren J Moffat
