Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
International Medical Corps

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents

· Introduction to Operating Systems
· Linux Basics
· Working with the System
· Shells and Utilities
· Editing Files
· Basic Administration
· The Operating System
· The X Windowing System
· The Computer Itself
· Networking
· System Monitoring
· Solving Problems
· Security
· Installing and Upgrading
· Linux and Windows

Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
Copyright Info
Terms of Use
Privacy Info
Masthead / Impressum
Your Account

Private Messages

News Archive
Submit News
User Articles
Web Links


The Web

Who's Online
There are currently, 74 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here




       For  the  purpose  of performing permission checks, tradi­
       tional Unix implementations distinguish two categories  of
       processes:  privileged  processes (whose effective user ID
       is 0, referred to as superuser or root), and  unprivileged
       processes  (whose  effective UID is non-zero).  Privileged
       processes  bypass  all  kernel  permission  checks,  while
       unprivileged  processes  are  subject  to  full permission
       checking based  on  the  process's  credentials  (usually:
       effective  UID,  effective  GID,  and  supplementary group

       Starting with kernel 2.2, Linux provides an (as yet incom­
       plete) system of capabilities, which divide the privileges
       traditionally  associated  with  superuser  into  distinct
       units that can be independently enabled and disabled.

   Capabilities List
       As  at Linux 2.4.20, the following capabilities are imple­

              Allow arbitrary changes to file UIDs and GIDs  (see

              Bypass  file  read,  write,  and execute permission
              checks.  (DAC = "discretionary access control".)

              Bypass file read permission  checks  and  directory
              read and execute permission checks.

              Bypass  permission  checks  on operations that nor­
              mally require the file system UID of the process to
              match the UID of the file (e.g., utime(2)), exclud­
              ing those operations covered by  the  CAP_DAC_OVER­
              RIDE  and CAP_DAC_READ_SEARCH; ignore sticky bit on
              file deletion.

              Don't clear set-user-ID and set-group-ID bits  when
              a  file  is  modified;  permit  setting of the set-
              group-ID bit for a file whose GID  does  not  match
              the file system or any of the supplementary GIDs of
              the calling process.

              Permit memory locking (mlock(2), mlockall(2),  shm­

              EXT2_IMMUTABLE_FL ext2 extended file attributes.

              (Linux 2.4 onwards) Allow creation of special files
              using mknod(2).

              Allow  various  network-related  operations  (e.g.,
              setting  privileged socket options, enabling multi­
              casting, interface configuration, modifying routing

              Allow  binding  to  Internet domain reserved socket
              ports (port numbers less than 1024).

              (Unused)  Allow socket broadcasting, and  listening

              Permit use of RAW and PACKET sockets.

              Allow  arbitrary  manipulations of process GIDs and
              supplementary GID list; allow forged GID when pass­
              ing socket credentials via Unix domain sockets.

              Grant or remove any capability in the caller's per­
              mitted capability set to or from any other process.

              Allow   arbitrary  manipulations  of  process  UIDs
              (setuid(2), etc.); allow forged  UID  when  passing
              socket credentials via Unix domain sockets.

              Permit  a range of system administration operations
              including:   quotactl(2),   mount(2),    swapon(2),
              sethostname(2),   setdomainname(2),   IPC_SET   and
              IPC_RMID  operations  on  arbitrary  System  V  IPC
              objects;  allow forged UID when passing socket cre­

              Permit calls to reboot(2).

              Permit calls to chroot(2).


              Allow   arbitrary  processes  to  be  traced  using

              Permit I/O port operations (iopl(2) and ioperm(2)).

              Permit: use of reserved space on ext2 file systems;
              ioctl(2) calls controlling  ext3  journaling;  disk
              quota  limits  to be overridden; resource limits to
              be  increased  (see   setrlimit(2));   RLIMIT_NPROC
              resource  limit  to be overridden; msg_qbytes limit
              for a message queue to be raised above the limit in
              /proc/sys/kernel/msgmnb     (see    msgop(2)    and

              Allow  modification  of  system  clock  (settimeof­
              day(2),  adjtimex(2));  allow modification of real-
              time (hardware) clock

              Permit calls to vhangup(2).

   Process Capabilities
       Each process has three capability sets containing zero  or
       more of the above capabilities:

              the capabilities used by the kernel to perform per­
              mission checks for the process.

              the capabilities that the process may assume (i.e.,
              a  limiting  superset  for  the  the  effective and
              inheritable sets).  If a process drops a capability
              from  its  permitted  set,  it can never re-acquire
              that capability (unless  it  execs  a  set-UID-root

              the capabilities preserved across an execve(2).

       In  the  current  implementation, a process is granted all
       permitted and effective capabilities (subject to the oper­
       ation of the capability bounding set described below) when
       it execs a set-UID-root program, or if a  process  with  a
       real UID of zero execs a new program.

       A  child  created  via fork(2) inherits copies of its par­
       bit mask parameter is expressed as a signed decimal number
       in /proc/sys/kernel/cap-bound.)

       Only  the  init  process  may  set  bits in the capability
       bounding set; other than  that,  the  superuser  may  only
       clear bits in this set.

       On  a  standard  system the capability bounding set always
       masks out the  CAP_SETPCAP  capability.   To  remove  this
       restriction,  modify the definition of CAP_INIT_EFF_SET in
       include/linux/capability.h and rebuild the kernel.

   Current and Future Implementation
       A full implementation of capabilities requires:

       1.  that for all privileged operations, the  kernel  check
           whether the process has the required capability in its
           effective set.

       2.  that the kernel provide system calls allowing  a  pro­
           cess's capability sets to be changed and retrieved.

       3.  file  system  support for attaching capabilities to an
           executable file, so that a process gains  those  capa­
           bilities when the file is execed.

       As  at  Linux 2.4.20, only the first two of these require­
       ments are met.

       Eventually, it should be possible to associate three capa­
       bility sets with an executable file, which, in conjunction
       with the capability sets of the  process,  will  determine
       the capabilities of a process after an exec:

              this  set is ANDed with the process's inherited set
              to determine which inherited capabilities are  per­
              mitted to the process after the exec.

              the  capabilities  automatically  permitted  to the
              process,  regardless  of  the  process's  inherited

              those  capabilities  in the process's new permitted
              set are also to be set in the  new  effective  set.
              (F(effective)  would  normally be either all zeroes
              or all ones.)

       In the meantime, since the current implementation does not
       of the process using the following algorithm:

           P'(permitted) = (P(inherited) & F(allowed)) | (F(forced) & cap_bset)

           P'(effective) = P'(permitted) & F(effective)

           P'(inherited) = P(inherited)    [i.e., unchanged]


       P         denotes  the  value  of a process capability set
                 before the exec

       P'        denotes the value of a capability set after  the

       F         denotes a file capability set

       cap_bset  is the value of the capability bounding set.


       The  libcap  package provides a suite of routines for set­
       ting and getting process capabilities that  is  more  com­
       fortable and less likely to change than the interface pro­
       vided by capset(2) and capget(2).


       No standards govern capabilities, but the Linux capability
       implementation  is  based  on  the withdrawn POSIX 1003.1e
       draft standard.


       There is as yet no file system support allowing  capabili­
       ties to be associated with executable files.


       capget(2), prctl(2)

Linux 2.4.20                2003-05-23            CAPABILITIES(7)

More information about the site can be found in the FAQ



Security Code
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!

Amazon Wish List

Did You Know?
You can choose larger fonts by selecting a different themes.


Tell a Friend About Us

Bookmark and Share

Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.09 Seconds