libhal-policy -> PolicyKit

[Artem Kachitchkine]

> Capabilities work fine. Unfortunately there is no way to selectively
> grant them AFAIK. The program must basically be started as root,
> call prctl(PR_SET_KEEPCAPS), setuid() to some unprivileged user and
> drop the unneeded capabilties. Ie ping still has to be setuid root,
> there is no flag in the filesystem that says /bin/ping gets
> CAP_NET_RAW.

Yes, the OS could use filesystem attributes for privilege/capability 
information, but not necessarily. In Solaris we have a database of "execution 
profiles", which tie together executables with privileges and authorizations. 
Right now it doesn't happen automagically, the command must be run under 
"pfexec" wrapper, i.e. you run 'pfexec cdrecord -scanbus' instead of just 
'cdrecord -scanbus'. But there is an effort under way to integrate profiles 
better so it happens transparently.

Funny you should mention ping, it is also set-uid in Solaris. After so many 
years the concept of "setuid is evil" has stuck in our heads that it's hard to 
realize how an executable can be setuid and least privilege at the same time. 
What ping in Solaris does, the very first thing in main(), is permanently drop 
all privileges it won't need, running least privilege from that point on. So the 
difference really is whether the system drops the privileges for you, or you 
drop the privileges yourself. The former is easier for developers, but they are 
both equal in terms of security.

-Artem.