Embed Notice
HTML Code
Corresponding Notice
- Embed this notice
feld (feld@friedcheese.us)'s status on Friday, 27-Sep-2024 22:36:26 JSTfeld @lena If you're referring to CAP_NET_BIND_SERVICE to let it bind on a privileged port -- this is one of the worst design decisions in Linux.
Instead of allowing a UID or GID to bind to a privileged port, you bless a *binary* that anyone could execute. Which means if a local user can find a way to crash the service they can start it and have control of it.
Absolutely insane.