Steve Grubb <sgrubb at redhat.com> writes: > The directory for /bin is 0755 root root. So, even if we drop all > capabilities, the root acct can still trojan a system. > If we change the bin directory to 005, then root cannot write to that > directory unless it has the CAP_DAC_OVERRIDE capability. I trust you meant to write 0555? regards, tom lane