In <Pine.LNX.4.21.0007251109190.30742-100000@asdf.capslock.lan> Mike A. Harris (mharris@meteng.on.ca) wrote:
> How does one exercise the CAP_SYSPCAP capability? In other
> words, if root starts up with all capabilities as defined in the
> cap-bound set, how does root pass a capability to another PID?
With capset(2) obviously...
> Is there a userland utility that root can run to give other PID's
> other capabilities?
I do not remember name but I saw such utility somewhere...
> Or am I misunderstanding the purpose of this CAP? If I'm understanding it
> correctly, why then are system daemons that require root privs, not instead
> getting only the required CAP's passed to them somehow?
Since this is big and complex task to transfer all userland from "root is god"
model to capabilities model perhaps ? Plus most daemons are not written
for Linux and thus do not support such scheme natively.
> Any help in understanding this, and finding existing utils would
> be greatly appreciated.
We do not have "Trusted Linux" (where UID 0 is just UID 0 and does not have
special power) yet, not even close. I know of no distrubution where such
work (reduce capabilities for only needed ones on daemon startup) is even
started.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Jul 31 2000 - 21:00:19 EST