Roger Oberholtzer wrote:
On Thu, 2012-03-01 at 19:53 +0000, Jim Henderson wrote:
On Thu, 01 Mar 2012 14:52:43 +0100, Per Jessen wrote:
Well, maybe start with "man capabilities". I think that is where I saw CAP_NET_BROADCAST mentioned. I have never played with any of this, but my understanding is that you can manage various capabilities on a per-process or per-user basis. I'm grasping at straws, but I'm sure somebody here will have an actual understanding of this.
From what I understand, kernel capabilities are disabled selectively - you start a program as root and it has access to everything, and then the program (perhaps also an external process can do this - that I don't know) disables what the program shouldn't be allowed to do.
The kernel does this. If the UID is 0 (root) some set of permissions are enabled. If not 0 (not running as root) a different default set are enabled. The 'capabilities' mechanism allows extension of what non 0 UID apps can do. The permissions, it seems, are stored in the file system along with the executable (see 'man capabilities'). So, I would imagine it requires either a specific file system, or that additional file system options be enabled. The man page is rather vague.
I think it requires extended attributes, that's all. This has a good explanation (imo): http://www.cis.syr.edu/~wedu/seed/Labs/Documentation/Linux/How_Linux_Capabil... Thinking out loud: Maybe you could run your third-party broadcasters from a little wrapper that drops privileges & capabilities, except CAP_NET_BROADCAST? You'd still need root to begin with, but the actual software would then run unprivileged. -- Per Jessen, Zürich (6.0°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org