The user space tools are not POSIX compatible. This implementation adds filesystem capabilities to the Linux kernel. It doesn't change how capabilities were used and interpreted in the kernel proper.
With this patch, you will be able to grant selective privileges to executables on a needed basis. This means for some executables, there is no need anymore to run as root or as a suid root binary.
For example, you may drop the SUID bit from ping and grant the
CAP_NET_RAW capability:
chmod u-s /bin/ping
chcap cap_net_raw=ep /bin/ping
Another use would be to run system daemons with their own uid:
chcap cap_net_bind_service=ei /usr/sbin/named
This sets the effective and inheritable capabilities of named.
In your startup script:
inhcaps cap_net_bind_service=i bind:bind /usr/sbin/named
This sets the inheritable set to CAP_NET_BIND_SERVICE, which is needed in order to bind to port 53, and runs named as user bind with group bind.
This allows running named with needed restricted privileges, if the parent process (root) owns them already. When started by regular users, named runs without any privileges.
Warning
resize2fs(8) might relocate inodes and thus break fs capabilities.
For this to work you must dump the capability db before you resize
and restore the db afterwards.
Download
Here are the kernel patches:
![[DIR]](../../images/back.png)
![[ ]](../../images/compressed.png)
![[ ]](../../images/c.png)
![[ ]](../../images/p.png)
Links and other capability implementations
- Summary about Posix.1e
- For
libcapand an alternative implementation, based on extended attributes (linux v2.4.3), see:
http://www.kernel.org/pub/linux/libs/security/linux-privs/ elfcap: capabilities in elf .notes:
http://atrey.karlin.mff.cuni.cz/~pavel/elfcap.htmlcapwrap: capabilities as a new binfmt module:
http://arctrix.com/nas/linux/capwrap.tar.gzlinux-fscap: capabilities using ext3 extended attributes
Link dead! http://www.stanford.edu/~luto/linux-fscap/cap_over: capability override LSM
http://freshmeat.net/projects/cap_over/