Hello, Am Dienstag, 4. August 2020, 05:02:30 CEST schrieb Murali Selvaraj:
> cat /etc/foo =================> Ensure this file belongs to root > ls -ltr /etc/foo > -rw-r--r-- 1 root root 8 Aug 3 20:31 /etc/foo This means everybody can read (or cat) the file, therefore no capabilities are needed. Capabilities also won't help if a non-root user tries to read -rw------- 1 root root 8 Aug 3 20:31 /etc/foo because the file permissions won't allow this. For a special case, see [1]. However, a process running as root will need the dac_override capability to read -rw------- 1 some_user users 8 Aug 3 20:31 /etc/foo because the file permissions only allow some_user to read the file, but not root (unless root has dac_override capabilities). As a sidenote: you can find a description of all capabilities in man 7 capabilities Regards, Christian Boltz [1] You could set your /bin/cat to have the dac_override capability - which is basically a partial suid bit. Something like this gets done for /usr/bin/ping on openSUSE, which gets the net_raw capability instead of a suid bit. Technically "chkstat" does that (based on some permissions.* files) but I have no idea if there's a command to set the capabilities for a single binary. -- I certainly expected the severity db to turn around and say "So, rule, I've been asked to determine how severe you are. Why don't you tell me a little about yourself? Do you like hugs, puppies, and long walks on the beach?". [Steve Beattie in apparmor]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor