From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stephen Hemminger <stephen@networkplumber.org>
Subject: Re: [RFC PATCH iproute2] Drop capabilities if not running ip exec
 vrf with libcap
Date: Tue, 27 Mar 2018 10:15:19 -0700
Message-ID: <20180327101519.473a1372@xeon-e3>
References: <20180327162419.8962-1-bluca@debian.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: netdev@vger.kernel.org, dsahern@gmail.com, luto@amacapital.net
To: Luca Boccassi <bluca@debian.org>
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-pl0-f54.google.com ([209.85.160.54]:44580 "EHLO
        mail-pl0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750880AbeC0RPX (ORCPT
        <rfc822;netdev@vger.kernel.org>); Tue, 27 Mar 2018 13:15:23 -0400
Received: by mail-pl0-f54.google.com with SMTP id 9-v6so14489472ple.11
        for <netdev@vger.kernel.org>; Tue, 27 Mar 2018 10:15:22 -0700 (PDT)
In-Reply-To: <20180327162419.8962-1-bluca@debian.org>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

On Tue, 27 Mar 2018 17:24:19 +0100
Luca Boccassi <bluca@debian.org> wrote:

> ip vrf exec requires root or CAP_NET_ADMIN, CAP_SYS_ADMIN and
> CAP_DAC_OVERRIDE. It is not possible to run unprivileged commands like
> ping as non-root or non-cap-enabled due to this requirement.
> To allow users and administrators to safely add the required
> capabilities to the binary, drop all capabilities on start if not
> invoked with "vrf exec".
> Update the manpage with the requirements.
> 
> Signed-off-by: Luca Boccassi <bluca@debian.org>

Gets a little messy, but don't have a better answer.
When a command like iproute gets involved in security policy things
I become concerned that it may have unexpected consequences.