Are there are good resources which provide details on how to take
advantage of the kernel's capabilities? I've installed lcap, setpcap,
and friends but am surprised at how little documentation I've been able
to find (maybe I'm looking in the wrong place).
So far the best I've found is:
ftp://ftp.guardian.no/pub/free/linux/capabilities/capfaq.txt
But I'm wondering whether it's actually up to date?
For instance, one section says that to enable caps in the kernel you
must edit capabilities.h:
Change the definition of CAP_INIT_EFF_SET and CAP_INIT_INH_SET to the
following in include/linux/capability.h:
#define CAP_INIT_EFF_SET { ~0 }
#define CAP_INIT_INH_SET { ~0 }
Is this true? If so, why wouldn't this just be the default in the
kernel source? Does enabling it cause Bad Things to happen? I made
this change in the last couple of kernels I've built and the kernel
seems to run fine in general, although I've still got problems making
caps work for me (below). Of course I'd rather not have to modify the
source.
Anyway regarding the use of caps: suppose I wanted to give
CAP_NET_BIND_SERVICE to a bash process (just an example):
# getpcaps $$
Capabilities for `20536': =eip cap_setpcap-eip
# sucap jamesb jamesb execcap 'cap_net_bind_service=eip' bash
Caps: =eip cap_setpcap-eip
Caps: =i cap_setpcap-i
[debug] uid:1000, real uid:1000
sucaps: capsetp: Operation not permitted
sucap: child did not exit cleanly.
Otoh, I can do this:
# execcap 'cap_net_bind_service=ip' bash
which succeeds.
Why am I unable to give some caps to a process, and not others? And why
am I unable to preserve caps through a uid change with sucap?
Thanks for any help/pointers to docs/etc..
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Jun 07 2000 - 21:00:14 EST