Am 24.12.2011 16:30, schrieb Aaron Konstam: > On Fri, 2011-12-23 at 22:59 +0100, Reindl Harald wrote: >> >> Am 23.12.2011 22:52, schrieb Aaron Konstam: >>>>> I guess I am thick because I can't understand the explanation in the web >>>>> page above. An example or two might have helped. >>>> >>>> you need to understand what SETUID and CAPABILITIES are >>>> what examples are you expecting? these are technics >>>> >>>> http://en.wikipedia.org/wiki/Setuid >>>> http://kernel.org/doc/man-pages/online/pages/man7/capabilities.7.html >>> >>> Examples of a specific capability replaces a setuid. You web pages were >>> of more help. >> >> [harry@srv-rhsoft:~]$ getcap /bin/ping >> /bin/ping = cap_net_raw+ep > I see the cap_net_raw in man capabilities. But what does the +ep do? sometimes google is your friend for details after get pointed in the right direction http://linux.die.net/man/3/cap_from_text A textual representation of capability sets consists of one or more whitespace-separated clauses. Each clause specifies some operations on a capability set; the set starts out with all capabilities lowered, and the meaning of the string is the state of the capability set after all the clauses have been applied in order. Each clause consists of a list of comma-separated capability names (or the word 'all'), followed by an action-list. An action-list consists of a sequence of operator flag pairs. Legal operators are: '=', '+', and '-'. Legal flags are: 'e', 'i', and 'p'. These flags are case-sensitive and specify the Effective, Inheritable and Permitted sets respectively. In the capability name lists, all names are case-insensitive. The special name 'all' specifies all capabilities; it is equivalent to a list naming every capability individually. Unnamed capabilities can also be specified by number. This feature ensures that libcap can support capabilities that were not allocated at the time libcap was compiled. However, generally upgrading libcap will add names for recently allocated capabilities. The '=' operator indicates that the listed capabilities are first reset in all three capability sets. The subsequent flags (which are optional when associated with this operator) indicate that the listed capabilities for the corresponding set are to be raised. For example: "all=p" means lower every capability in the Effective and Inheritable sets but raise all of the Permitted capabilities; or, "cap_fowner=ep" means raise the Effective and Permitted override-file-ownership capability, while lowering this Inheritable capa
Attachment:
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
