Comment 8 for bug 436977

Well, much to my chagrin, capabilities changed in 2.6 so that they do not
survive exec(), which weakens my design a bit, but at least I've got it
working with a limited configuration file. The chmod/chgrp thing still
needs a wrapper, but as I don't have a test environment, I'm not sure what
the wrapper for that should be checking as a valid path.

Beyond that, I'm pretty happy -- it reduces a "eucalyptus" group access
attack to mostly a DoS (destroying disks, network, etc). I tried to
limit the use of "dd", but it seems like there isn't currently a way
to avoid reading/writing LV contents (due to the snapshot behavior).
Tightening that would be nice. (i.e. only read/write managed LVs.)