On Thu, 2012-03-01 at 19:53 +0000, Jim Henderson wrote:
On Thu, 01 Mar 2012 14:52:43 +0100, Per Jessen wrote:
Well, maybe start with "man capabilities". I think that is where I saw CAP_NET_BROADCAST mentioned. I have never played with any of this, but my understanding is that you can manage various capabilities on a per-process or per-user basis. I'm grasping at straws, but I'm sure somebody here will have an actual understanding of this.
From what I understand, kernel capabilities are disabled selectively - you start a program as root and it has access to everything, and then the program (perhaps also an external process can do this - that I don't know) disables what the program shouldn't be allowed to do.
The kernel does this. If the UID is 0 (root) some set of permissions are enabled. If not 0 (not running as root) a different default set are enabled. The 'capabilities' mechanism allows extension of what non 0 UID apps can do. The permissions, it seems, are stored in the file system along with the executable (see 'man capabilities'). So, I would imagine it requires either a specific file system, or that additional file system options be enabled. The man page is rather vague. Yours sincerely, Roger Oberholtzer OPQ Systems / Ramböll RST Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org