From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stephen Hemminger <stephen@networkplumber.org>
Subject: Re: [PATCH iproute2 v1] Drop capabilities if not running ip exec
 vrf with libcap
Date: Tue, 27 Mar 2018 11:52:15 -0700
Message-ID: <20180327115215.36ff76c2@xeon-e3>
References: <20180327162419.8962-1-bluca@debian.org>
        <20180327174855.30497-1-bluca@debian.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: netdev@vger.kernel.org, dsahern@gmail.com, luto@amacapital.net
To: Luca Boccassi <bluca@debian.org>
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-pl0-f43.google.com ([209.85.160.43]:36987 "EHLO
        mail-pl0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751976AbeC0SwS (ORCPT
        <rfc822;netdev@vger.kernel.org>); Tue, 27 Mar 2018 14:52:18 -0400
Received: by mail-pl0-f43.google.com with SMTP id v7-v6so934972plo.4
        for <netdev@vger.kernel.org>; Tue, 27 Mar 2018 11:52:18 -0700 (PDT)
In-Reply-To: <20180327174855.30497-1-bluca@debian.org>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

On Tue, 27 Mar 2018 18:48:55 +0100
Luca Boccassi <bluca@debian.org> wrote:

> ip vrf exec requires root or CAP_NET_ADMIN, CAP_SYS_ADMIN and
> CAP_DAC_OVERRIDE. It is not possible to run unprivileged commands like
> ping as non-root or non-cap-enabled due to this requirement.
> To allow users and administrators to safely add the required
> capabilities to the binary, drop all capabilities on start if not
> invoked with "vrf exec".
> Update the manpage with the requirements.
> 
> Signed-off-by: Luca Boccassi <bluca@debian.org>

Applied