Re: capabilities carried over execve()

From: willy tarreau (
Date: Tue Apr 24 2001 - 10:05:46 EST

I personnaly use this simple patch which allows me
to keep caps over execve(). It allows me to give a
few more rights to some trusted users, such as
kill, insmod... without risking unlink, chown or
so. I couldn't find any other way to achieve this.

If needed, I can send you the complete prog which
sets the requested capabilities upon login,
eventually asking for a password and limited in
time of day.


--- linux-2.2.18-wt11/fs/exec.c Fri Feb 16 23:11:52
+++ linux-2.2.18-wt11+caps/fs/exec.c Thu Feb 22
20:45:33 2001
@@ -702,7 +702,10 @@
+/*** FIXME: just a test : keep permitted and
effective ******/
+bprm->cap_permitted =
+bprm->cap_effective =
+/*** /FIXME ****/
        /* To support inheritance of root-permissions
and suid-root
          * executables under compatibility mode, we
raise all three
          * capability sets for the file.

Do You Yahoo!? -- Pour faire vos courses sur le Net,
Yahoo! Shopping :
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Mon Apr 30 2001 - 21:00:11 EST