Re: [PATCH] 2.6.0-test6: Filesystem capabilities 0.15

From: Andy Lutomirski
Date: Sat Oct 04 2003 - 02:22:25 EST

Olaf Dietsche wrote:

This *untested* patch implements filesystem capabilities. It allows
to run privileged executables without the need for suid root.

Changes: - updated to 2.6.0-test6 - added lscap to show fs caps for a
particular file

This patch is available at:

I have an alternate patch, implementing file capabilities using xattrs. It also implements the
exec changes I proposed a few days back, but this time around it's a config option. Note that
this patch is very non-intrusive. The user API is through setxattr and friends, and the changes
to any filesystem to support this patch are minimal (add the system.capabilities xattr and
validate its contents on setxattr).

The patch and user tools are at
(Apply the cap- patches in order. Patches are against 2.6.0-test6 vanilla.)

Olaf -- what do you think? (I like your CAP_SETFCAP addition -- I may add it to my patch.
Currently anyone can chcap their own files, as long as they hold the capabilities they want
to permit.)

$ su
# cp `which ping` myping
# chmod 755 myping
# chcap cap_net_raw+p myping
# exit
$ ./myping localhost

-- Andy Lutomirski

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at