The Linux Programming Interface

CAPABILITIES This chapter describes the Linux capabilities scheme, which divides the traditional all-or-nothing UNIX privilege s ...

798 Chapter 39 The Linux capability scheme refines the handling of this problem. Rather than using a single privilege (i.e., eff ...

Capabilities 799 z Effective: These are the capabilities used by the kernel to perform privilege checking for the process. As lo ...

800 Chapter 39 Table 39-1: Operations permitted by each Linux capability Capability Permits process to CAP_AUDIT_CONTROL (Since ...

Capabilities 801 CAP_SETPCAP If file capabilities are not supported, grant and remove capabilities in the process’s permitted se ...

802 Chapter 39 39.3.3 Purpose of the Process Permitted and Effective Capability Sets The process permitted capability set define ...

Capabilities 803 appear that the capabilities implementation could provide this feature simply by preserving the process’s permi ...

804 Chapter 39 Next, we become the superuser, which allows us to successfully change the system time: $ sudo date -s '2018-02-01 ...

Capabilities 805 other features were added in kernels 2.6.25 and 2.6.26 in order to complete the capabilities implementation. Fo ...

806 Chapter 39 If a process has the CAP_SETPCAP capability, then it can (irreversibly) remove capabilities from its bounding set ...

Capabilities 807 If the file-system user ID is changed from 0 to a nonzero value, then the follow- ing file-related capabilitie ...

808 Chapter 39 Use the cap_set_proc() function to pass the user-space structure back to the kernel in order to change the proce ...

Capabilities 809 { cap_t caps; cap_value_t capList[1]; / Retrieve caller's current capabilities / caps = cap_get_proc(); if (cap ...

810 Chapter 39 if (cap_free(empty) == -1) return -1; return s; } int main(int argc, char *argv[]) { char *username, *password, * ...

Capabilities 811 password = getpass("Password: "); /* Encrypt password and erase cleartext version immediately */ encrypted = cr ...

812 Chapter 39 Since existing applications aren’t engineered to make use of the file-capabilities infrastructure, the kernel mus ...

Capabilities 813 SECBIT_KEEP_CAPS and the prctl() PR_SET_KEEPCAPS operation The SECBIT_KEEP_CAPS flag prevents capabilities from ...

814 Chapter 39 change their behavior after determining that they don’t have privilege for a particular operation. It can sometim ...

Capabilities 815 group, or all processes on the system except init and the caller itself. The final case excludes init because i ...

816 Chapter 39 Using capabilities within a program on a system without file capabilities Even on a system that doesn’t support f ...