Hacker News new | past | comments | ask | show | jobs | submit login

Also only works for actual binaries, not scripts. Well, you can write a short exec wrapper I suppose.



Hm. Why doesn't it work for scripts? I thought the capabilities were stored in the filesystem?


An OS that allows shebang scripts to have setuid or capabilities ends up allowing security holes, as seen in traditional Unix variants; see http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html and https://www.in-ulm.de/~mascheck/various/shebang/#setuid

Therefore, Linux simply doesn't allow it.


Because the script is probably not what is actually opening the port. It is going to execute something else that will open the port.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: