[vacuity]

I was also the one who wrote a sibling comment saying that capabilities aren't magical, but I do think they are excellent as far as any mechanism goes. Linux doesn't nearly go far enough in capability-based security, and merely adapting practices fails to make full use of capabilities. It's a bug if I have to verify my identity often for a routine task, whether it's through sudo or polkit. User friction is bad for security in many ways. Instead, configure the service once to have the capabilities you would give it each time anyways. Take it out of the user's hands and set it down on the desk (still in their control, just not taking up space). polkit is not quite there, whereas capabilities easily confine all programs (don't have to support polkit), are trivially flexible in behavior while being both secure and invisible by default, and provide control to the proper agents (users and involved programs). Capabilities turn access control from a hard problem plus various pitfalls to just a hard problem. Rather than an incrementally better solution, changing paradigms here is a good idea. Although Unix already most has capabilities through file descriptors, so in some sense its "everything is a file" philosophy can't go far enough.