[http://lwn.net/Articles/313838/]
=====
Filesystem capabilities in Fedora 10
By Jake Edge
January 7, 2009
Linux capabilities have been around for a long time, but they are
finally starting to get to the point where they can actually be used.
There are still no mainstream distributions that make use of them, but
Fedora 10 has all of the requisite functionality available, as Ulrich
Drepper recently pointed out in a blog posting. There are now systems
available for administrators to begin to try out capabilities to see
what advantages they offer.
[...]
The canonical test program for capabilities seems to be ping; that is
what Drepper used, as did Chris Friedhoff in his capabilities
documentation. Currently in Fedora 10, ping is a setuid-root program
as it needs privileges that normal users do not have. Removing the
setuid bit with
chmod u-s /bin/ping
results in normal users getting the following error:
ping: icmp open socket: Operation not permitted
But, ping can be left without the setuid bit, by proper application of
capabilities.
[...]
The capability required by ping is CAP_NET_RAW, so an administrator
who wants to have a non-setuid-root ping must do:
setcap cap_net_raw=ep /bin/ping
This sets the CAP_NET_RAW bit in both the "effective" (e) and
"permitted" (p) capability sets. These two sets, along with the
"inheritable" set, govern the capabilities that a process has or can
set. Serge Hallyn's developerWorks article is a good reference for how
those sets interact.
[...]
=====
--
Soh Kam Yung
my Google Reader Shared links:
(http://www.google.com/reader/shared/16851815156817689753)
my Google Reader Shared SFAS links:
(http://www.google.com/reader/shared/user/16851815156817689753/label/sfas)
_______________________________________________
Slugnet mailing list
[email protected]
http://wiki.lugs.org.sg/LugsMailingListFaq
http://www.lugs.org.sg/mailman/listinfo/slugnet
