lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230814134423.46036cdf@hermes.local> Date: Mon, 14 Aug 2023 13:44:23 -0700 From: Stephen Hemminger <stephen@...workplumber.org> To: Maximilian Bosch <maximilian@...sch.me> Cc: netdev@...r.kernel.org Subject: Re: [PATCH iproute2-next] ip-vrf: recommend using CAP_BPF rather than CAP_SYS_ADMIN On Wed, 9 Aug 2023 11:26:36 +0200 Maximilian Bosch <maximilian@...sch.me> wrote: > -This command also requires to be ran as root or with the CAP_SYS_ADMIN, > -CAP_NET_ADMIN and CAP_DAC_OVERRIDE capabilities. If built with libcap and if > -capabilities are added to the ip binary program via setcap, the program will > -drop them as the first thing when invoked, unless the command is vrf exec. > +This command also requires to be ran as root or with the CAP_BPF (or > +CAP_SYS_ADMIN on Linux <5.8), CAP_NET_ADMIN and CAP_DAC_OVERRIDE capabilities. > +If built with libcap and if capabilities are added to the ip binary program > +via setcap, the program will drop them as the first thing when invoked, > +unless the command is vrf exec. I don't like it when documentation becomes kernel version dependent. And distro kernels backport all the time. Documentation should cover why instead of hiding it in comments. This paragraph is almost unreadable even before the patch. The verb tenses and wording are not those that would be used by a native English speaker.
Powered by blists - more mailing lists