Implications of using cap_sys_admin+p?

[falk4243]

I'm using Sunshine on a Wayland session and streaming works well via the Wayland protocol, no matter whether "setcap cap_sys_admin+p" has been applied to the Sunshine executable or not ... which gives a warning that it can't connect to the DRM framebuffer handle in the latter case, but otherwise starts without complaint.

I'm curious: Are there any performance (or other) implications in this case or can I remove the capability when streaming from a Wayland session? Also, what are the security implications of "cap_sys_admin may as well be root" ? Could a bug in Sunshine be used to compromise the whole system if the cap is set?

[falk4243]

Did I ask an indecent question or perhaps nobody knows? From my tests, (streaming) performance doesn't change with the flag enabled or disabled and security should potentially be better, so it's probably best to leave it disabled when streaming from a Wayland session. Any other opinions?

[ReenigneArcher]

One of the Linux guru's will need to answer.

In my testing VM's I need to disable it and use Xorg or else streaming fails. But I have no GPU passthrough and only software encoding in those VMs at the moment.

Please also understand that the project is flooded with a ton of nvidia gamestream migrants, thanks to their discontinuation announcement... so answers might come slower or not at all.

[falk4243]

Thank you for your answer! I'm following the discussions on Reddit and am recommending Sunlight as an alternative left and right, so perhaps partly responsible for the influx ;) Just wanted to make sure there wasn't anything wrong with the question - not expecting an answer yesterday.