On Fri, 02 Mar 2012 08:05:22 +0100, Roger Oberholtzer wrote:
From what I understand, kernel capabilities are disabled selectively - you start a program as root and it has access to everything, and then the program (perhaps also an external process can do this - that I don't know) disables what the program shouldn't be allowed to do.
The kernel does this. If the UID is 0 (root) some set of permissions are enabled. If not 0 (not running as root) a different default set are enabled. The 'capabilities' mechanism allows extension of what non 0 UID apps can do. The permissions, it seems, are stored in the file system along with the executable (see 'man capabilities'). So, I would imagine it requires either a specific file system, or that additional file system options be enabled. The man page is rather vague.
Looking over the man page, it seems reasonably clear to me, but then again I spent a couple months the end of last year looking at low-level kernel stuff for a project I was working on, and capabilities were a peripheral part of the project. The way I read the man page, it's possible to set capabilities for a particular program using a file in the filesystem (just a config file), but the default is all capabilities are enabled for a program. The initial implementation used thread-level control, but without the mechanism to pre-define what a program could do, the thread had to start first in order to be manipulated. I want to say this is part of the CGROUPS implementation, but that could be a faulty recollection on my part (as the project I was working on had to do mostly with CGROUPS). So, for example, a program that doesn't need CAP_NET_ADMIN could voluntarily remove this capability (which might be done for security purposes, for example, to prevent some sort of exploit making the program do something it shouldn't be able to do - again, maybe a poor example, though, due to an incorrect recollection on my part), or an external control process could revoke the privilege upon seeing the program execute. Subtractive use would seem to be relevant mostly to processes run by UID 0, though - perhaps it can also allow a process to run as a non-zero UID and the capability can be added. That part isn't as clear to me in looking at the man page - might have to play around with it (an easy test - grant Wireshark CAP_NET_ADMIN and see if it can capture as non-root). Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org