[wiki] Using File Capabilities Instead Of Setuid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hi people,

I created a interesting article wiki page for the new libcap 2 (from
Hugo Doria) package that are in [testing] now.
It cover all [core] packages that have setuid-root (all works fine), and
the xorg-server(*) from [extra].

I invite all those who want to work with other packages that use setuid
in [extra] and [community]

(*) Preliminary ideas/tips for Xorg that not are currently in the wiki page:

For example if you have a nvidia card, and if the kernel module isn't
loaded when X start, The Xorg will load it, and create the necessary
devs files (/dev/nvidia0 and /dev/nvidiactl). So there are two ways to
do this load the kernel module before startx, and create device files
manualy, or assing two more capabilities to Xorg (not a good idea)

The minimun capabilities required:
setcap cap_chown,cap_dac_override,cap_sys_rawio,cap_sys_admin+ep
/usr/bin/Xorg

If grant to load kernel modules and create devices nodes (_bad idea_):
setcap
cap_chown,cap_dac_override,cap_mknod,cap_sys_module,cap_sys_rawio,cap_sys_admin+ep
/usr/bin/Xorg

* cap_sys_admin: Seems that running xorg under VirtualBox isn't needed.
* cap_chown is required for chown the "devs tty" on X start/stop
* cap_sys_rawio is for accesing to /dev/mem (this will be became
obsolete for KMS [Kernel Mode Setting])
* cap_dac_override is for writing the logs.


Take Care

-- 
Gerardo Exequiel Pozzi ( djgera )
http://www.djgera.com.ar
KeyID: 0x1B8C330D
Key fingerprint = 0CAA D5D4 CD85 4434 A219  76ED 39AB 221B 1B8C 330D



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux