--- Bill O'Donnell <[email protected]> wrote:
> ... That said, can one expect, through
> the use of these enhanced capabilities,
> to be able to add some finer grain
> capabilities based on a specific userid?
POSIX capabilities are explictly disjoint from
userids in the kernel, and this is by design.
You could provide limited capability sets to
users at the application layer.
> In Chris' ping example,
> the suid is removed from /bin/ping to restrict it to
> root, and a
> capability added to allow any user to execute it.
> Can that example
> be extended to make it so only a _particular_ user
> can execute it?
Give the file the capability and set an
ACL that allows only that user execute access.
> I realize with SELinux, one could achieve the goal,
> but as a stopgap,
> can capabilities be used to get there?
Certainly, as above.
> Thanks,
> Bill
>
> --
> Bill O'Donnell
> SGI
Have a look in /etc/irix.cap on a Trix box
some time. I suspect there might be one in
your facility.
Casey Schaufler
[email protected]
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
