Commercialization will destroy the free flow of information. Consider the history of Lisp, and why GNU ever came into existance...I promote Linux in large part because I hope it will bring the "Science" back to Computer Science.
Its a bad thing when a bad law gets passed locally. Forcing it upon a multitude would seem a way to get a paid law repealed. What would happen if another EU country heard a similar trial and a sane judge responded with technical understanding? Would the first precedent be undone?
"Copenhagen's lower bailiff's court ruled Friday that Newsbooster.com was in direct competition with the newspapers and that the links it provided to specific news articles damaged the value of the newspapers' advertisements."
You aren't in competition, but someone could perhaps see into their site without viewing the advertisements along the way. Its all about the money... Its about establishing *control* over the flow. If you don't control the flow, you can't make people pay.
So what I'd like to know is what "right" do these people have to establish controls on the value of advertisements?
"Mac-on-Linux lets you run MacOS under Linux/ppc. MOL runs natively on the processor, i.e. it is very fast. Unlike most mac emulators, MOL can run MacOS 8.6 and later WITHOUT A ROM IMAGE."
mol-0.9.63.tgz doesn't look like its alpha, let alone vapor...Anybody running this?
Math, Physics, and Chemistry require (at least) 3 semesters of Calc. Every chemist I know took Diff. Eq. too. At my school we even require 2 semesters of calc. for our Construction Technology students.
One can present many aspects of mathematics visually, so that a student could (literally) see the concept and understand the vocabulary without gaining any ability to calculate. One could likewise learn to differentiate and become proficent at speedily arriving at correct answers without ever even knowing they were solutions to any problem related to slope. This alone is not understanding. I would suggest that both modes relate to "understanding" mathematics. I've seen math presented with rigour where geometric interpretations were disdained. I've seen physics students who've learned a "bagfull of tricks" to put in their "toolbox", who learn to calculate fast and consistently, but can't discuss what it is they are doing. It works, its a valid step, it gets the right answer. Techniques and comprehension are both necessary, but they aren't the same thing.
May I recomend Dover
Publications? They republish paperback versions of classics (Newton,
Einstein, Fermi, etc...), as well as titles such as Problem Solving
Through Recreational Mathematics , and 100 Great
Problems of Elementary Mathematics. The beauty of
Dover is their price. Many books are under $10.
Also recommended for self study are the Schaum's
Outlines series from McGraw-Hill.
* b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange;
Agreed: I was saving money to buy my first apple because of OSX, then bought an Athlon in disgust over the AQUA theme fiasco. It was the attitudes of online apple chat enthusists that drove me away as much as apple's stance. I decided they weren't something I wanted join.
Multiple desktops are such an obvious advantage that I can't believe they aren't as prevalent as overlapping windows. Its all about being able to categorize when I organize. I am amazed that this wouldn't be considered obvious.
Themes are useful to people who spend alot of time in front of their computer. Changing the appearance without breaking the pattern of functionality is stimulating. It prevents a form of "highway hypnosis". Its fun. Its pretty.
Your parent posts' keyboard shortcut concern is also of concern to me. Keyboard shortcuts are essential.
Ah but if you had to sign a contract in order to get notepad that specified you would only write notes with "approved" titles, and that you would have 6 months to finish your "note" before submitting it for approval to be considered for distribution, else you return notepad w/o a reimbursement (or apply for permission to continue using notepad for another 6 months, on the same title.) THEN it wouldn't MATTER if the work contains IP, its about the allowed use of the product.
http://www.xbox.com/dev/unsigned.htm?det=1
There are three ways to getstarted with Xbox game development. The primary method is to work with a licensed publisher on an approved Xbox title. Developers working on approved titles have access to development tools and support services. The other two methods are designed for "unsigned" developers who are working without a publisher.
The followingPrograms are designed specifically for developers who are not yet signed to make Xbox games for a publisher.
The Xbox Registered Developer Program is designed to allow established developers access to Xbox hardware and support in order to familiarize themselves with the architecture, tailor existing tools and technologies to take advantage of the unique features, and to be able to bid for and secure development projects for the Xbox console. Should your company be accepted into the program, you will be allowed access to development tools and passive technical support in form of the Xbox Central Web site and newsgroups. You may also be invited to participate in various technical sessions and seminars we hold over the course of the year.
The Xbox Incubator Program enables smaller developers to obtain Xbox development tools and support in advance of signing a publishing deal. Interested developers should be able to self-fund a prototype development effort and to pay for the necessary development tools.
This program is limited to a relatively small number of developers and is intended to give a leg up to small teams with great ideas and the ability to make them real. The goal is to get great games published - it is not a hobbiest or part-timer program. If your team isn't willing and able to work itself half to death to get a prototype up and running in 6 months, then the Incubator is not for you.
Applying developers will be required to execute a non-disclosure agreement with Microsoft prior to being considered for the program.
Applying developers will be required to execute a non-disclosure agreement with Microsoft prior to being considered for the program.
Incubator Program developers will have six months to either place their product with a publisher, come back to Xbox for re-authorization for additional time, or to exit the program and return all materials with no refund.
Modularity. I shouldn't have to buy a TV, Stereo, Game Console, and computer. Its offensive to me to differentiate markets to maximize shareholder profits on my dime.
Neither mathematics, nor computer science (nor for that matter physics, chemistry, astronomy, etc...) are "Natural". There are patents in physics and chemistry, for sure, and patents on mathematical algorithms, too.
We should encourage all companies to back linux versions of their products, yes. I fail to comprehend how this relates to XMMS. WinAmp didn't write XMMS. WinAmp didn't write WINE. WinAmp didn't write xmms-winamp. What resources did WinAmp "put... towards noticing us"? I'd love to applaud, but I've not heard the news.
As I recall, OS/2 *could* run win apps... but the OS/2 apps. that did exist were next generation compared to MS apps. The compatibility with MS was without doubt a backwards compatiblity. OS/2 lost the war, but not due to inferior technology in either the OS or the native apps.
Its true that (at least for a BusAdmin major, and also a graphics design major) XMMS has been the deciding factor in friend's decisons to play with Linux. XMMS *is* really that much sweeter. (Well, XMMS and mozilla's tabbed interface.)
Crypto File systems Serious Operating System protect File System Objects through the use of access control mechanism . In it's simplest form it comes as a Access Matrix. In this case File System Objects just have a Owner and some Attributes that specify who (User, Group, Other) can access / manipulate the Object. With this type of access matrix the kernel can decide who can enter Directories, Read or Modify (create,write , delete) Files. Most moderns Operating Systems have also ACL's. This allows a more fine grained control beyound the simple user/group approach.
There are two main problems with any access control System. Someone can get around access control by using some local/remote exploit or much more simple by getting rid of the Framework - the Operating System - under which the Subsystem executes that controls the access. Simply booting another instance of the same OS can do the trick or just using tools from a 'standalone' (floppy) System. If someone has local access (complete physical controll) to the system , access control can't stop any experienced attacker. And is finally the point were Crypto Filessytems put another barrier infront of a potential attacker.
SuxOS introduces a revolutionary security structure, using among others, the Linux Intrusion Detection System to enforce MAC (Mandatory Access Control), the grsecurity kernel patch, to enhance overall security by putting restrictions on various parts of the/proc filesystem, preventing common buffer overflows, TCP/IP stealth code et cetera, plus the valuable protection from format string vulnerabilities given by FormatGuard. Other than that, Pluggable Authentication Modules are used for resource limiting and authentication. All this, together with the
fact that SuxOS only includes applications and servers that are known to have a history of few or none security flaws, gives the administrator unsurpassed security and control over the system.
The Linux Intrusion Detection System makes it possible to make an incredibly fine grained set of Access Control Lists, thus making it virtually impossible for even a skilled cracker to penetrate the strong security layers of
SuxOS. LIDS provides the ability to control all access to system resources, even preventing a root compromise from subverting the security of the entire system. The default Access Control Lists in SuxOS, has been set up in a
very secure fashion, by locking up the system completely, and then explicitly granting access to the applications that need it. The outcome of this is extremely fine grained access control, unsurpassed by any other known Linux
distribution today.
Security of the host itself has been significantly improved. Enforcement of longer passwords, insecure protocols non-existent, and extensive logging and auditing provide a solid foundation to build a complete corporate Internet
presence.
NSA Security-Enhanced Linux (SELinux) implements flexible and fine-grained mandatory access controls for Linux. These controls can be used to confine processes (including superuser processes) to least privilege, to protect the integrity and confidentiality of processes and data, and to support protected subsystems or assured pipelines. SELinux is available under the GNU General Public License.
The Rule Set Based Access Control (
RSBAC
) system is an open source security extension
to current Linux kernels, which has been continuously developed for several years. The
current stable version 1.1.2 has been released on 27th of August 2001.
RSBAC was designed according to the Generalized Framework for Access Control (GFAC) to
overcome the deficiencies of access control in standard Linux systems, and to make a
flexible combination of security models as well as proper access logging possible.
Access control is devided into enforcement, decision and data structures, and all
access modes are grouped into abstract request types. Also, the controlled object types
include interprocess communication as well as devices (not only device special files).
The abstraction makes the framework and the existing model implementations easily
portable to other operation systems.
Among the nine access control models, which are currently included, are well known
ones, like MAC/Bell-LaPadula, as well as new models, which have been specially designed
for *nix server needs. Specially, the complex and powerful Role Compatibility model and
the Access Control Lists model provide fine grained control over all objects in the
system, while the Authorization model easily controls user IDs used by all programs.
Installation requires a kernel patch, RSBAC configuration and a recompile. The complete
set of administration tools contains a range of menues for most tasks.
Practical experience shows the system to be fast and stable for production use, what is
one reason for its growing acceptance. There are already two Linux distributions with
RSBAC included and a lot of server systems running it.
In the next major release 1.2.0, real network access control will be provided and the
whole access control data handling subsystem will have been changed and optimized.
The TrustedBSD project provides a set of trusted operating system extensions to the FreeBSD operating system, targeting the Common Criteria for Information Technology Security Evaluation (CC).
About TrustedBSD
The TrustedBSD project provides a set of trusted operating system
extensions to the FreeBSD operating system, targeting the Common
Criteria for Information Technology Security Evaluation (CC). This
project is still under development, and much of the code is destined
to make its way back into the base FreeBSD operating system.
This Web site will provide access to documentation,
code relating to features that are still under development, and
code that has its fingers in too many places to justify integrating
into the base operating system. Targeted features include:
Extensible and audited authorization framework to support
access control modules. This framework provides
general-purpose labeling of kernel subjects/objects, centralized
policy management, and access to a variety of run-time security
events. This will allow the compile-time, boot-time, and
run-time extension of the operating system security model
based in both TrustedBSD access control modules, and
third-party modules that employ the extension framework.
Mandatory access control modules based on the framework
supporting a variety of access control models, including fixed
and floating label Biba integrity policies, the MLS
confidentiality policy, Type Enforcement, and other customized
policies designed for common FreeBSD deployment scenarios.
In addition, the SELinux FLASK and Type Enforcement
implementations will be provided via an SEBSD module, providing
access to the higher level FLASK service abstraction, and
mature TE implementation.
Improvements in system privilege to reduce the level of
risk associated with common system management functions.
Access control lists for the file system and other kernel
resources allowing fine-grained and manageable discretionary
access control.
Event auditing support, and single-host modular IDS system
to monitor security events and notify administrators in the event
of irregularities.
The TrustedBSD Project is made possible through the generous
sponsorship and donations of a variety of organizations, including
DARPA, NAI Labs, Safeport Network Services, the University of
Pennsylvania, Yahoo!, and others. Contributions to support the
TrustedBSD Project are welcome; please consider making donations
through the FreeBSD
Foundation.
The FreeBSD ``Jail'' facility provides the ability to partition the operating system environment, while maintaining the simplicity of the UNIX ``root'' model. In Jail, users with privilege find that the scope of their requests is limited to the jail, allowing system administrators to delegate management capabilities for each virtual machine environment. Creating virtual machines in this manner has many potential uses; the most popular thus far has been for providing virtual machine services in Internet Service Provider environments.
This
document outlines the kernel security improvements that have been made
in the 2.4 kernel. A number of significant improvements including cryptography
and access control...One of the most obvious and significant improvements in the 2.4 kernel is
the packet
filtering capabilities.
A program such as xntpd might go through the following process to relinquish
the rights that are not necessary for normal operation:
* Start with full root privileges as it normally
does
* Bind to the privileged ntp port
* Drop all capabilities other than CAP_SYS_TIME
* Drop root privileges (preventing it from even
writing to root-owned files)
* Continue normal operation as a regular administrative account
Currently, programs need to be modified to take advantage of capabilities.
With filesystem capabilities, this sometimes won't be necessary. It might
go something like this:
[root@magneto/root]# chattr +CAP_BIND xntpd
This would enable the xntpd process to bind to a socket without requiring
root privileges prior to being run. Quite powerful. At the same time, it's
also contains a certain potential danger due to making an unprivileged
binary slightly privileged.
Slashdot Mirror
Commercialization will destroy the free flow of information. Consider the history of Lisp, and why GNU ever came into existance...I promote Linux in large part because I hope it will bring the "Science" back to Computer Science.
Its a bad thing when a bad law gets passed locally. Forcing it upon a multitude would seem a way to get a paid law repealed. What would happen if another EU country heard a similar trial and a sane judge responded with technical understanding? Would the first precedent be undone?
"Copenhagen's lower bailiff's court ruled Friday that Newsbooster.com was in direct competition with the newspapers and that the links it provided to specific news articles damaged the value of the newspapers' advertisements."
You aren't in competition, but someone could perhaps see into their site without viewing the advertisements along the way. Its all about the money... Its about establishing *control* over the flow. If you don't control the flow, you can't make people pay.
So what I'd like to know is what "right" do these people have to establish controls on the value of advertisements?
"Mac-on-Linux lets you run MacOS under Linux/ppc. MOL runs natively on the processor, i.e. it is very fast. Unlike most mac emulators, MOL can run MacOS 8.6 and later WITHOUT A ROM IMAGE."
mol-0.9.63.tgz doesn't look like its alpha, let alone vapor...Anybody running this?
Math, Physics, and Chemistry require (at least) 3 semesters of Calc. Every chemist I know took Diff. Eq. too. At my school we even require 2 semesters of calc. for our Construction Technology students.
One can present many aspects of mathematics visually, so that a student could (literally) see the concept and understand the vocabulary without gaining any ability to calculate. One could likewise learn to differentiate and become proficent at speedily arriving at correct answers without ever even knowing they were solutions to any problem related to slope. This alone is not understanding. I would suggest that both modes relate to "understanding" mathematics. I've seen math presented with rigour where geometric interpretations were disdained. I've seen physics students who've learned a "bagfull of tricks" to put in their "toolbox", who learn to calculate fast and consistently, but can't discuss what it is they are doing. It works, its a valid step, it gets the right answer. Techniques and comprehension are both necessary, but they aren't the same thing.
May I recomend Dover Publications?
They republish paperback versions of classics (Newton, Einstein, Fermi, etc...), as well as titles such as Problem Solving Through Recreational Mathematics , and 100 Great Problems of Elementary Mathematics. The beauty of Dover is their price. Many books are under $10.
Also recommended for self study are the Schaum's Outlines series from McGraw-Hill.
You wouldn't have to buy it:
* b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange;
Agreed: I was saving money to buy my first apple because of OSX, then bought an Athlon in disgust over the AQUA theme fiasco. It was the attitudes of online apple chat enthusists that drove me away as much as apple's stance. I decided they weren't something I wanted join.
Multiple desktops are such an obvious advantage that I can't believe they aren't as prevalent as overlapping windows. Its all about being able to categorize when I organize. I am amazed that this wouldn't be considered obvious.
Themes are useful to people who spend alot of time in front of their computer. Changing the appearance without breaking the pattern of functionality is stimulating. It prevents a form of "highway hypnosis". Its fun. Its pretty.
Your parent posts' keyboard shortcut concern is also of concern to me. Keyboard shortcuts are essential.
Ah but if you had to sign a contract in order to get notepad that specified you would only write notes with "approved" titles, and that you would have 6 months to finish your "note" before submitting it for approval to be considered for distribution, else you return notepad w/o a reimbursement (or apply for permission to continue using notepad for another 6 months, on the same title.) THEN it wouldn't MATTER if the work contains IP, its about the allowed use of the product.
The Xbox Registered Developer Program is designed to allow established developers access to Xbox hardware and support in order to familiarize themselves with the architecture, tailor existing tools and technologies to take advantage of the unique features, and to be able to bid for and secure development projects for the Xbox console. Should your company be accepted into the program, you will be allowed access to development tools and passive technical support in form of the Xbox Central Web site and newsgroups. You may also be invited to participate in various technical sessions and seminars we hold over the course of the year.
The Xbox Incubator Program enables smaller developers to obtain Xbox development tools and support in advance of signing a publishing deal. Interested developers should be able to self-fund a prototype development effort and to pay for the necessary development tools.
This program is limited to a relatively small number of developers and is intended to give a leg up to small teams with great ideas and the ability to make them real. The goal is to get great games published - it is not a hobbiest or part-timer program. If your team isn't willing and able to work itself half to death to get a prototype up and running in 6 months, then the Incubator is not for you.
Applying developers will be required to execute a non-disclosure agreement with Microsoft prior to being considered for the program.
Applying developers will be required to execute a non-disclosure agreement with Microsoft prior to being considered for the program.
Incubator Program developers will have six months to either place their product with a publisher, come back to Xbox for re-authorization for additional time, or to exit the program and return all materials with no refund.
Modularity. I shouldn't have to buy a TV, Stereo, Game Console, and computer. Its offensive to me to differentiate markets to maximize shareholder profits on my dime.
So was Hitler. So was Nixon. So what?
Neither mathematics, nor computer science (nor for that matter physics, chemistry, astronomy, etc...) are "Natural". There are patents in physics and chemistry, for sure, and patents on mathematical algorithms, too.
We should encourage all companies to back linux versions of their products, yes. I fail to comprehend how this relates to XMMS. WinAmp didn't write XMMS. WinAmp didn't write WINE. WinAmp didn't write xmms-winamp. What resources did WinAmp "put ... towards noticing us"? I'd love to applaud, but I've not heard the news.
As I recall, OS/2 *could* run win apps... but the OS/2 apps. that did exist were next generation compared to MS apps. The compatibility with MS was without doubt a backwards compatiblity. OS/2 lost the war, but not due to inferior technology in either the OS or the native apps.
Its true that (at least for a BusAdmin major, and also a graphics design major) XMMS has been the deciding factor in friend's decisons to play with Linux. XMMS *is* really that much sweeter. (Well, XMMS and mozilla's tabbed interface.)
Crypto File systems
Serious Operating System protect File System Objects through the use of access control mechanism . In it's simplest form it comes as a Access Matrix. In this case File System Objects just have a Owner and some Attributes that specify who (User, Group, Other) can access / manipulate the Object. With this type of access matrix the kernel can decide who can enter Directories, Read or Modify (create,write , delete) Files. Most moderns Operating Systems have also ACL's. This allows a more fine grained control beyound the simple user/group approach. There are two main problems with any access control System. Someone can get around access control by using some local/remote exploit or much more simple by getting rid of the Framework - the Operating System - under which the Subsystem executes that controls the access. Simply booting another instance of the same OS can do the trick or just using tools from a 'standalone' (floppy) System. If someone has local access (complete physical controll) to the system , access control can't stop any experienced attacker. And is finally the point were Crypto Filessytems put another barrier infront of a potential attacker.
SuxOS introduces a revolutionary security structure, using among others, the Linux Intrusion Detection System to enforce MAC (Mandatory Access Control), the grsecurity kernel patch, to enhance overall security by putting restrictions on various parts of the /proc filesystem, preventing common buffer overflows, TCP/IP stealth code et cetera, plus the valuable protection from format string vulnerabilities given by FormatGuard. Other than that, Pluggable Authentication Modules are used for resource limiting and authentication. All this, together with the
fact that SuxOS only includes applications and servers that are known to have a history of few or none security flaws, gives the administrator unsurpassed security and control over the system.
The Linux Intrusion Detection System makes it possible to make an incredibly fine grained set of Access Control Lists, thus making it virtually impossible for even a skilled cracker to penetrate the strong security layers of SuxOS. LIDS provides the ability to control all access to system resources, even preventing a root compromise from subverting the security of the entire system. The default Access Control Lists in SuxOS, has been set up in a very secure fashion, by locking up the system completely, and then explicitly granting access to the applications that need it. The outcome of this is extremely fine grained access control, unsurpassed by any other known Linux distribution today.
Security of the host itself has been significantly improved. Enforcement of longer passwords, insecure protocols non-existent, and extensive logging and auditing provide a solid foundation to build a complete corporate Internet presence.
NSA Security-Enhanced Linux (SELinux)
implements flexible and fine-grained mandatory access controls for Linux.
These controls can be used to confine processes (including superuser processes)
to least privilege, to protect the integrity and confidentiality of processes
and data, and to support protected subsystems or assured pipelines. SELinux
is available under the GNU General Public License.
The Rule Set Based Access Control ( RSBAC ) system is an open source security extension to current Linux kernels, which has been continuously developed for several years. The current stable version 1.1.2 has been released on 27th of August 2001.
RSBAC was designed according to the Generalized Framework for Access Control (GFAC) to overcome the deficiencies of access control in standard Linux systems, and to make a flexible combination of security models as well as proper access logging possible.
Access control is devided into enforcement, decision and data structures, and all access modes are grouped into abstract request types. Also, the controlled object types include interprocess communication as well as devices (not only device special files).
The abstraction makes the framework and the existing model implementations easily portable to other operation systems.
Among the nine access control models, which are currently included, are well known ones, like MAC/Bell-LaPadula, as well as new models, which have been specially designed for *nix server needs. Specially, the complex and powerful Role Compatibility model and the Access Control Lists model provide fine grained control over all objects in the system, while the Authorization model easily controls user IDs used by all programs.
Installation requires a kernel patch, RSBAC configuration and a recompile. The complete set of administration tools contains a range of menues for most tasks.
Practical experience shows the system to be fast and stable for production use, what is one reason for its growing acceptance. There are already two Linux distributions with RSBAC included and a lot of server systems running it.
In the next major release 1.2.0, real network access control will be provided and the whole access control data handling subsystem will have been changed and optimized.
a set of trusted operating system extensions to the FreeBSD operating system,
targeting the Common Criteria for Information Technology Security Evaluation
(CC).
About TrustedBSD
The TrustedBSD project provides a set of trusted operating system
extensions to the FreeBSD operating system, targeting the Common
Criteria for Information Technology Security Evaluation (CC). This
project is still under development, and much of the code is destined
to make its way back into the base FreeBSD operating system.
This Web site will provide access to documentation,
code relating to features that are still under development, and
code that has its fingers in too many places to justify integrating
into the base operating system. Targeted features include:
access control modules. This framework provides
general-purpose labeling of kernel subjects/objects, centralized
policy management, and access to a variety of run-time security
events. This will allow the compile-time, boot-time, and
run-time extension of the operating system security model
based in both TrustedBSD access control modules, and
third-party modules that employ the extension framework.
supporting a variety of access control models, including fixed
and floating label Biba integrity policies, the MLS
confidentiality policy, Type Enforcement, and other customized
policies designed for common FreeBSD deployment scenarios.
In addition, the SELinux FLASK and Type Enforcement
implementations will be provided via an SEBSD module, providing
access to the higher level FLASK service abstraction, and
mature TE implementation.
risk associated with common system management functions.
resources allowing fine-grained and manageable discretionary
access control.
to monitor security events and notify administrators in the event
of irregularities.
The TrustedBSD Project is made possible through the generous
sponsorship and donations of a variety of organizations, including
DARPA, NAI Labs, Safeport Network Services, the University of
Pennsylvania, Yahoo!, and others. Contributions to support the
TrustedBSD Project are welcome; please consider making donations
through the FreeBSD
Foundation.
The FreeBSD ``Jail'' facility provides the ability to partition the operating system environment, while maintaining the simplicity of the UNIX ``root'' model. In Jail, users with privilege find that the scope of their requests is limited to the jail, allowing system administrators to delegate management capabilities for each virtual machine environment. Creating virtual machines in this manner has many potential uses; the most popular thus far has been for providing virtual machine services in Internet Service Provider environments.
A program such as xntpd might go through the following process to relinquish the rights that are not necessary for normal operation:
* Start with full root privileges as it normally does
* Bind to the privileged ntp port
* Drop all capabilities other than CAP_SYS_TIME
* Drop root privileges (preventing it from even writing to root-owned files)
* Continue normal operation as a regular administrative account
Currently, programs need to be modified to take advantage of capabilities. With filesystem capabilities, this sometimes won't be necessary. It might go something like this:
[root@magneto /root]# chattr +CAP_BIND xntpd
This would enable the xntpd process to bind to a socket without requiring root privileges prior to being run. Quite powerful. At the same time, it's also contains a certain potential danger due to making an unprivileged binary slightly privileged.