In the kernel 2.2, no reference is made to the process's UID. In order
to know what permission the process has only the effective (E)
capabilities are checked.
On a classical Unix system, processes owned by root have all the
permissions and the other processes have none.
The CAP_SETPCAP capability allows to change the capabilities of other
processes.
In linux 2.2 this capability is not given to any process.
To have a system using capabilities you have to change two lines in
the kernel sources(see CAPFAQ). Processes owned by root will
then have this capability.
Since kernel 2.2.11, the list of all capabilities is viewable from the
file /proc/sys/kernel/cap-bound
lcap, which can be found at
<http://pweb.netcom.com/~spoon/lcap/>, makes it easy to remove
system capabilities (those obsolete and those you don't want)
Linux's Security Capabilities
® © Hervé Schauer Consultants 2000 -
4 bis, rue de la gare -
92300 Levallois-Perret