Re: [PATCH] 2.6.15: Filesystem capabilities 0.16

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Olaf Dietsche <[email protected]> wrote:
> This patch implements filesystem capabilities. It allows to run
> privileged executables without the need for suid root.
> 
> Changes:
> - updated to 2.6.15
> 
> This patch is available at:
> <http://www.olafdietsche.de/linux/capability/>
> 
> Regards, Olaf.
> 
> diff -urN a/fs/Kconfig b/fs/Kconfig
> --- a/fs/Kconfig	Wed Jan  4 22:01:06 2006
> +++ b/fs/Kconfig	Sun Jan  8 15:12:25 2006
> @@ -1209,6 +1209,69 @@
>  	  It's currently broken, so for now:
>  	  answer N.
>  
> +config FS_CAPABILITIES
> +	bool "Filesystem capabilities (Experimental)"
> +	depends on EXPERIMENTAL
> +	default n
> +	help
> +	  This implementation is likely _not_ POSIX compatible.
> +
> +	  If you say Y here, you will be able to grant selective privileges to
> +	  executables on a needed basis. This means for some executables, there
> +	  is no need anymore to run as root or as a suid root binary.
> +
> +	  For example, you may drop the SUID bit from ping and grant the
> +	  CAP_NET_RAW capability:
> +	  # chmod u-s /bin/ping
> +	  # chcap cap_net_raw=ep /bin/ping

Why the cap_ part? It should be enough to say, e.g.

    chcap net-raw=ep /bin/ping

('_' has SHIFT, normally... '-' is easier to type)

> +
> +	  Another use would be to run system daemons with their own uid:
> +	  # chcap cap_net_bind_service=ei /usr/sbin/named
> +	  This sets the effective and inheritable capabilities of named.
> +
> +	  In your startup script:
> +	  inhcaps cap_net_bind_service=i bind:bind /usr/sbin/named

AFAIU, the =i implies inherited, why another command to set that?

Can't comment on the rest.
-- 
Dr. Horst H. von Brand                   User #22616 counter.li.org
Departamento de Informatica                     Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria              +56 32 654239
Casilla 110-V, Valparaiso, Chile                Fax:  +56 32 797513
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux