Linux's Security Capabilities
2.5 Setting capabilities to executable file
Two tools are actualy in developement:
fcaps:
VFS layer patchs for capabilities
enables to grant capabilities to executable files
the capabilities granted are recorded in the file system
Ex. with
ping
wich needs the
CAP_NET_RAW
capacity:
ping
doesn't need to be SUID anymore
Ping
will have the ID of the person who uses it
elfcap:
Elf capabilities hack
enables to suppress capabilities to any executable file in elf format
all the capabilities are stored in the elf header.
Ex. with ping wich needs the CAP_NET_RAW capacity:
ping must be suid root
If the administrator uses the correct options while defining the capabilities granted, then the program takes the ID of the person who executes it.
Else it will use the root ID
Linux's Security Capabilities
® ©
Hervé Schauer Consultants
2000 - 4 bis, rue de la gare - 92300 Levallois-Perret
Phone : +33 141 409 700 - Fax : +33 141 409 709 - Email : <secretariat@hsc.fr>
Linux's Security Capabilities
Linux's Security Capabilities
Linux's Security Capabilities
® © Hervé Schauer Consultants 2000 -
4 bis, rue de la gare -
92300 Levallois-Perret