Mailinglist Archive: opensuse (1165 mails)

< Previous Next >
Re: [opensuse] Re: Should openSUSE review it's Security Policies?
  • From: Roger Oberholtzer <roger@xxxxxx>
  • Date: Fri, 02 Mar 2012 08:05:22 +0100
  • Message-id: <1330671922.24308.6.camel@acme.pacific>
On Thu, 2012-03-01 at 19:53 +0000, Jim Henderson wrote:
On Thu, 01 Mar 2012 14:52:43 +0100, Per Jessen wrote:

Well, maybe start with "man capabilities". I think that is where I saw
CAP_NET_BROADCAST mentioned. I have never played with any of this, but
my understanding is that you can manage various capabilities on a
per-process or per-user basis. I'm grasping at straws, but I'm sure
somebody here will have an actual understanding of this.

From what I understand, kernel capabilities are disabled selectively -
you start a program as root and it has access to everything, and then the
program (perhaps also an external process can do this - that I don't
know) disables what the program shouldn't be allowed to do.

The kernel does this. If the UID is 0 (root) some set of permissions are
enabled. If not 0 (not running as root) a different default set are
enabled. The 'capabilities' mechanism allows extension of what non 0 UID
apps can do. The permissions, it seems, are stored in the file system
along with the executable (see 'man capabilities'). So, I would imagine
it requires either a specific file system, or that additional file
system options be enabled. The man page is rather vague.

Yours sincerely,

Roger Oberholtzer

OPQ Systems / Ramböll RST

Office: Int +46 10-615 60 20
Mobile: Int +46 70-815 1696

Ramböll Sverige AB
Krukmakargatan 21
P.O. Box 17009
SE-104 62 Stockholm, Sweden

To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
Follow Ups