Filesystem capabilities for linux
The user space tools are not POSIX compatible. This implementation adds filesystem capabilities to the Linux kernel. It doesn't change how capabilities were used and interpreted in the kernel proper.
With this patch, you will be able to grant selective privileges to executables on a needed basis. This means for some executables, there is no need anymore to run as root or as a suid root binary.
For example, you may drop the SUID bit from ping and grant the
chmod u-s /bin/ping chcap cap_net_raw=ep /bin/ping
Another use would be to run system daemons with their own uid:
chcap cap_net_bind_service=ei /usr/sbin/named
This sets the effective and inheritable capabilities of named.
In your startup script:
inhcaps cap_net_bind_service=i bind:bind /usr/sbin/named
This sets the inheritable set to
CAP_NET_BIND_SERVICE, which is
needed in order to bind to port 53, and runs named as user bind
with group bind.
This allows running named with needed restricted privileges, if the parent process (root) owns them already. When started by regular users, named runs without any privileges.
resize2fs(8) might relocate inodes and thus break fs capabilities.
For this to work you must dump the capability db before you resize
and restore the db afterwards.
Links and other capability implementations
- Link dead! Summary about Posix.1e:
libcapand an alternative implementation, based on extended attributes (linux v2.4.3), see http://www.kernel.org/pub/linux/libs/security/linux-privs/
elfcap: capabilities in elf .notes: http://atrey.karlin.mff.cuni.cz/~pavel/elfcap.html
capwrap: capabilities as a new binfmt module: http://arctrix.com/nas/linux/capwrap.tar.gz
linux-fscap: capabilities using ext3 extended attributes Link dead!
cap_over: capability override LSM http://freshmeat.net/projects/cap_over/