Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents

· Introduction to Operating Systems
· Linux Basics
· Working with the System
· Shells and Utilities
· Editing Files
· Basic Administration
· The Operating System
· The X Windowing System
· The Computer Itself
· Networking
· System Monitoring
· Solving Problems
· Security
· Installing and Upgrading
· Linux and Windows

Glossary
MoreInfo
Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
FAQ
Copyright Info
Terms of Use
Privacy Info
Disclaimer
WorkBoard
Thanks
Donations
Advertising
Masthead / Impressum
Your Account

Communication
Feedback
Forums
Private Messages
Surveys

Features
HOWTOs
News Archive
Submit News
Topics
User Articles
Web Links

Google
Google


The Web
linux-tutorial.info

Who's Online
There are currently, 353 guest(s) and 3 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here

  

capabilities



DESCRIPTION

       For  the  purpose  of performing permission checks, tradi­
       tional Unix implementations distinguish two categories  of
       processes:  privileged  processes (whose effective user ID
       is 0, referred to as superuser or root), and  unprivileged
       processes  (whose  effective UID is non-zero).  Privileged
       processes  bypass  all  kernel  permission  checks,  while
       unprivileged  processes  are  subject  to  full permission
       checking based  on  the  process's  credentials  (usually:
       effective  UID,  effective  GID,  and  supplementary group
       list).

       Starting with kernel 2.2, Linux provides an (as yet incom­
       plete) system of capabilities, which divide the privileges
       traditionally  associated  with  superuser  into  distinct
       units that can be independently enabled and disabled.

   Capabilities List
       As  at Linux 2.4.20, the following capabilities are imple­
       mented:

       CAP_CHOWN
              Allow arbitrary changes to file UIDs and GIDs  (see
              chown(2)).

       CAP_DAC_OVERRIDE
              Bypass  file  read,  write,  and execute permission
              checks.  (DAC = "discretionary access control".)

       CAP_DAC_READ_SEARCH
              Bypass file read permission  checks  and  directory
              read and execute permission checks.

       CAP_FOWNER
              Bypass  permission  checks  on operations that nor­
              mally require the file system UID of the process to
              match the UID of the file (e.g., utime(2)), exclud­
              ing those operations covered by  the  CAP_DAC_OVER­
              RIDE  and CAP_DAC_READ_SEARCH; ignore sticky bit on
              file deletion.

       CAP_FSETID
              Don't clear set-user-ID and set-group-ID bits  when
              a  file  is  modified;  permit  setting of the set-
              group-ID bit for a file whose GID  does  not  match
              the file system or any of the supplementary GIDs of
              the calling process.

       CAP_IPC_LOCK
              Permit memory locking (mlock(2), mlockall(2),  shm­
              ctl(2)).

              EXT2_IMMUTABLE_FL ext2 extended file attributes.

       CAP_MKNOD
              (Linux 2.4 onwards) Allow creation of special files
              using mknod(2).

       CAP_NET_ADMIN
              Allow  various  network-related  operations  (e.g.,
              setting  privileged socket options, enabling multi­
              casting, interface configuration, modifying routing
              tables).

       CAP_NET_BIND_SERVICE
              Allow  binding  to  Internet domain reserved socket
              ports (port numbers less than 1024).

       CAP_NET_BROADCAST
              (Unused)  Allow socket broadcasting, and  listening
              multicasts.

       CAP_NET_RAW
              Permit use of RAW and PACKET sockets.

       CAP_SETGID
              Allow  arbitrary  manipulations of process GIDs and
              supplementary GID list; allow forged GID when pass­
              ing socket credentials via Unix domain sockets.

       CAP_SETPCAP
              Grant or remove any capability in the caller's per­
              mitted capability set to or from any other process.

       CAP_SETUID
              Allow   arbitrary  manipulations  of  process  UIDs
              (setuid(2), etc.); allow forged  UID  when  passing
              socket credentials via Unix domain sockets.

       CAP_SYS_ADMIN
              Permit  a range of system administration operations
              including:   quotactl(2),   mount(2),    swapon(2),
              sethostname(2),   setdomainname(2),   IPC_SET   and
              IPC_RMID  operations  on  arbitrary  System  V  IPC
              objects;  allow forged UID when passing socket cre­
              dentials.

       CAP_SYS_BOOT
              Permit calls to reboot(2).

       CAP_SYS_CHROOT
              Permit calls to chroot(2).

       CAP_SYS_MODULE

       CAP_SYS_PTRACE
              Allow   arbitrary  processes  to  be  traced  using
              ptrace(2)

       CAP_SYS_RAWIO
              Permit I/O port operations (iopl(2) and ioperm(2)).

       CAP_SYS_RESOURCE
              Permit: use of reserved space on ext2 file systems;
              ioctl(2) calls controlling  ext3  journaling;  disk
              quota  limits  to be overridden; resource limits to
              be  increased  (see   setrlimit(2));   RLIMIT_NPROC
              resource  limit  to be overridden; msg_qbytes limit
              for a message queue to be raised above the limit in
              /proc/sys/kernel/msgmnb     (see    msgop(2)    and
              msgctl(2).

       CAP_SYS_TIME
              Allow  modification  of  system  clock  (settimeof­
              day(2),  adjtimex(2));  allow modification of real-
              time (hardware) clock

       CAP_SYS_TTY_CONFIG
              Permit calls to vhangup(2).

   Process Capabilities
       Each process has three capability sets containing zero  or
       more of the above capabilities:

       Effective:
              the capabilities used by the kernel to perform per­
              mission checks for the process.

       Permitted:
              the capabilities that the process may assume (i.e.,
              a  limiting  superset  for  the  the  effective and
              inheritable sets).  If a process drops a capability
              from  its  permitted  set,  it can never re-acquire
              that capability (unless  it  execs  a  set-UID-root
              program).

       Inherited:
              the capabilities preserved across an execve(2).

       In  the  current  implementation, a process is granted all
       permitted and effective capabilities (subject to the oper­
       ation of the capability bounding set described below) when
       it execs a set-UID-root program, or if a  process  with  a
       real UID of zero execs a new program.

       A  child  created  via fork(2) inherits copies of its par­
       bit mask parameter is expressed as a signed decimal number
       in /proc/sys/kernel/cap-bound.)

       Only  the  init  process  may  set  bits in the capability
       bounding set; other than  that,  the  superuser  may  only
       clear bits in this set.

       On  a  standard  system the capability bounding set always
       masks out the  CAP_SETPCAP  capability.   To  remove  this
       restriction,  modify the definition of CAP_INIT_EFF_SET in
       include/linux/capability.h and rebuild the kernel.

   Current and Future Implementation
       A full implementation of capabilities requires:

       1.  that for all privileged operations, the  kernel  check
           whether the process has the required capability in its
           effective set.

       2.  that the kernel provide system calls allowing  a  pro­
           cess's capability sets to be changed and retrieved.

       3.  file  system  support for attaching capabilities to an
           executable file, so that a process gains  those  capa­
           bilities when the file is execed.

       As  at  Linux 2.4.20, only the first two of these require­
       ments are met.

       Eventually, it should be possible to associate three capa­
       bility sets with an executable file, which, in conjunction
       with the capability sets of the  process,  will  determine
       the capabilities of a process after an exec:

       Allowed:
              this  set is ANDed with the process's inherited set
              to determine which inherited capabilities are  per­
              mitted to the process after the exec.

       Forced:
              the  capabilities  automatically  permitted  to the
              process,  regardless  of  the  process's  inherited
              capabilities.

       Effective:
              those  capabilities  in the process's new permitted
              set are also to be set in the  new  effective  set.
              (F(effective)  would  normally be either all zeroes
              or all ones.)

       In the meantime, since the current implementation does not
       of the process using the following algorithm:

           P'(permitted) = (P(inherited) & F(allowed)) | (F(forced) & cap_bset)

           P'(effective) = P'(permitted) & F(effective)

           P'(inherited) = P(inherited)    [i.e., unchanged]

       where:

       P         denotes  the  value  of a process capability set
                 before the exec

       P'        denotes the value of a capability set after  the
                 exec

       F         denotes a file capability set

       cap_bset  is the value of the capability bounding set.


NOTES

       The  libcap  package provides a suite of routines for set­
       ting and getting process capabilities that  is  more  com­
       fortable and less likely to change than the interface pro­
       vided by capset(2) and capget(2).


CONFORMING TO

       No standards govern capabilities, but the Linux capability
       implementation  is  based  on  the withdrawn POSIX 1003.1e
       draft standard.


BUGS

       There is as yet no file system support allowing  capabili­
       ties to be associated with executable files.


SEE ALSO

       capget(2), prctl(2)

Linux 2.4.20                2003-05-23            CAPABILITIES(7)
  
Show your Support for the Linux Tutorial

Purchase one of the products from our new online shop. For each product you purchase, the Linux Tutorial gets a portion of the proceeds to help keep us going.


Login
Nickname

Password

Security Code
Security Code
Type Security Code


Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!


Amazon Wish List

Did You Know?
You can help in many different ways.


Friends



Tell a Friend About Us

Bookmark and Share



Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.07 Seconds