[dom0]

> capabilities

Well. There just aren't many useful caps to begin with. For example, consider backups. You'd want the backup system to have full read access to everything. Well. You can't do that with capabilities. You only get DAC_OVERRIDE, which is one of the many root-equivalent caps in Linux. Probably half of them are.

[ori_b]

Even better, in my opinion, is that many of the caps that you would use to sandbox an app (like PID and FS namespaces) require you to have the sysadmin capability set on the process.

Great. You need to give a process more or less root so that it can deny itself privileges.

[dom0]

The idea is probably that the service manager (systemd) manages the NSs for the applications contained therein. systemd of course doesn't have to check it's own privileges.

[bandrami]

GNU PIES, however, does check its own privileges. I have no idea why it didn't get a harder look during the init wars. I get that Shepherd "isn't there yet", but IMO Pies is.

[ori_b]

But the binaries I want this on aren't services.

[bandrami]

Which leads us to the full absurdity of CAP_SYS_ADMIN, which at this point even the kernel team admits is "basically root"

[aaronmdjones]

You only need CAP_DAC_READ_SEARCH for backups.