Linux Capabilites

Материал из noname.com.ua
Версия от 10:57, 12 января 2011; 95.133.46.34 (обсуждение) (Новая: POSIX Capabilities Content: 1. CAP_CHOWN Code Listing 1.1: CAP_CHOWN CAP_CHOWN In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this overrides the restriction of c...)
(разн.) ← Предыдущая | Текущая версия (разн.) | Следующая → (разн.)
Перейти к навигацииПерейти к поиску

POSIX Capabilities Content:

1. CAP_CHOWN

Code Listing 1.1: CAP_CHOWN

 CAP_CHOWN

In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this overrides the restriction of changing file ownership and group ownership.

2. CAP_DAC_OVERRIDE

Code Listing 2.1: CAP_DAC_OVERRIDE

 CAP_DAC_OVERRIDE

Override all DAC access, including ACL execute access if [_POSIX_ACL] is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE.

3. CAP_DAC_READ_SEARCH

Code Listing 3.1: CAP_DAC_READ_SEARCH

 CAP_DAC_READ_SEARCH	

Overrides all DAC restrictions, regarding read and search on files and directories, including ACL restrictions, if [_POSIX_ACL] is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE.

4. CAP_FOWNER

Code Listing 4.1: CAP_FOWNER

 CAP_FOWNER

Overrides all restrictions about allowed operations on files, where file owner ID must be equal to the user ID, except where CAP_FSETID is applicable. It doesn't override MAC and DAC restrictions.

5. CAP_FSETID

Code Listing 5.1: CAP_FSETID

 CAP_FSETID

Overrides the following restrictions, that the effective user ID shall match the file owner ID, when setting the S_ISUID and S_ISGID bits on that file; that the effective group ID (or one of the supplementary group IDs) shall match the file owner ID when setting the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are cleared on successful return from chown(2) (not implemented).

6. CAP_FS_MASK

Code Listing 6.1: CAP_FS_MASK

 CAP_FS_MASK

Used to decide between falling back on the old suser() or fsuser().

7. CAP_KILL

Code Listing 7.1: CAP_KILL

 CAP_KILL

Overrides the restriction, that the real or effective user ID of a process, sending a signal, must match the real or effective user ID of the process, receiving the signal.

8. CAP_SETGID

Code Listing 8.1: CAP_SETGID

 CAP_SETGID

Allows setgid(2) manipulation; Allows setgroups(2); Allows forged gids on socket credentials passing.

9. CAP_SETUID

Code Listing 9.1: CAP_SETUID

 CAP_SETUID

Allows set*uid(2) manipulation (including fsuid); Allows forged pids on socket credentials passing.

10. CAP_SETPCAP

Code Listing 10.1: CAP_SETPCAP

 CAP_SETPCAP

Transfer any capability in your permitted set to any pid, remove any capability in your permitted set from any pid.

11. CAP_LINUX_IMMUTABLE

Code Listing 11.1: CAP_LINUX_IMMUTABLE

 CAP_LINUX_IMMUTABLE

Allow modification of S_IMMUTABLE and S_APPEND file attributes.

12. CAP_NET_BIND_SERVICE

Code Listing 12.1: CAP_NET_BIND_SERVICE

 CAP_NET_BIND_SERVICE

Allows binding to TCP/UDP sockets below 1024; Allows binding to ATM VCIs below 32.

13. CAP_NET_BROADCAST

Code Listing 13.1: CAP_NET_BROADCAST

 CAP_NET_BROADCAST

Allow broadcasting, listen to multicast.

14. CAP_NET_ADMIN

Code Listing 14.1: CAP_NET_ADMIN

 CAP_NET_ADMIN

Allow interface configuration; Allow administration of IP firewall, masquerading and accounting; Allow setting debug option on sockets; Allow modification of routing tables; Allow setting arbitrary process / process group ownership on sockets; Allow binding to any address for transparent proxying; Allow setting TOS (type of service); Allow setting promiscuous mode; Allow clearing driver statistics; Allow multicasting; Allow read/write of devicespecific registers; Allow activation of ATM control sockets.

15. CAP_NET_RAW

Code Listing 15.1: CAP_NET_RAW

 CAP_NET_RAW

Allow use of RAW sockets; Allow use of PACKET sockets.

16. CAP_IPC_LOCK

Code Listing 16.1: CAP_IPC_LOCK

 CAP_IPC_LOCK

Allow locking of shared memory segments; Allow mlock and mlockall (which doesn't really have anything to do with IPC).

17. CAP_IPC_OWNER

Code Listing 17.1: CAP_IPC_OWNER

 CAP_IPC_OWNER

Override IPC ownership checks.

18. CAP_SYS_MODULE

Code Listing 18.1: CAP_SYS_MODULE

 CAP_SYS_MODULE

Insert and remove kernel modules modify kernel without limit; Modify cap_bset.

19. CAP_SYS_RAWIO

Code Listing 19.1: CAP_SYS_RAWIO

 CAP_SYS_RAWIO

Allow ioperm/iopl access; Allow sending USB messages to any device via /proc/bus/usb.

20. CAP_SYS_CHROOT

Code Listing 20.1: CAP_SYS_CHROOT

 CAP_SYS_CHROOT

Allow use of chroot().

21. CAP_SYS_PTRACE

Code Listing 21.1: CAP_SYS_PTRACE

 CAP_SYS_PTRACE

Allow ptrace() of any process.

22. CAP_SYS_PACCT

Code Listing 22.1: CAP_SYS_PACCT

 CAP_SYS_PACCT

Allow configuration of process accounting.

23. CAP_SYS_ADMIN

Code Listing 23.1: CAP_SYS_ADMIN

 CAP_SYS_ADMIN

Allow configuration of the secure attention key; Allow administration of the random device; Allow examination and configuration of disk quotas; Allow configuring the kernel's syslog (printk behaviour); Allow setting the domainname; Allow setting the hostname; Allow calling bdflush(); Allow mount() and umount(), setting up new smb connection; Allow some autofs root ioctls; Allow nfsservctl; Allow VM86_REQUEST_IRQ; Allow to read/write pci config on alpha; Allow irix_prctl on mips (setstacksize); Allow flushing all cache on m68k (sys_cacheflush); Allow removing semaphores; Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores and shared memory; Allow locking/unlocking of shared memory segment; Allow turning swap on/off; Allow forged pids on socket credentials passing; Allow setting readahead and flushing buffers on block devices; Allow setting geometry in floppy driver; Allow turning DMA on/off in xd driver; Allow administration of md devices (mostly the above, but some extra ioctls); Allow tuning the ide driver; Allow access to the nvram device; Allow administration of apm_bios, serial and bttv (TV) device; Allow manufacturer commands in isdn CAPI support driver; Allow reading nonstandardized portions of pci configuration space; Allow DDI debug ioctl on sbpcd driver; Allow setting up serial ports; Allow sending raw qic117 commands; Allow enabling/disabling tagged queuing on SCSI controllers and sending arbitrary SCSI commands; Allow setting encryption key on loopback filesystem.

24. CAP_SYS_BOOT

Code Listing 24.1: CAP_SYS_BOOT

 CAP_SYS_BOOT

Allow use of reboot().

25. CAP_SYS_NICE

Code Listing 25.1: CAP_SYS_NICE

 CAP_SYS_NICE

Allow raising priority and setting priority on other (different UID) processes; Allow use of FIFO and roundrobin (realtime) scheduling on own processes and setting the scheduling algorithm used by another process.

26. CAP_SYS_RESOURCE

Code Listing 26.1: CAP_SYS_RESOURCE

 CAP_SYS_RESOURCE 

Override resource limits. Set resource limits; Override quota limits; Override reserved space on ext2 filesystem; Modify data journaling mode on ext3 filesystem (uses journaling resources); NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too; Override size restrictions on IPC message queues; Allow more than 64hz interrupts from the realtime clock; Override max number of consoles on console allocation; Override max number of keymaps.

27. CAP_SYS_TIME

Code Listing 27.1: CAP_SYS_TIME

 CAP_SYS_TIME

Allow manipulation of system clock; Allow irix_stime on mips; Allow setting the realtime clock.

28. CAP_SYS_TTY_CONFIG

Code Listing 28.1: CAP_SYS_TTY_CONFIG

 CAP_SYS_TTY_CONFIG

Allow configuration of tty devices; Allow vhangup() of tty.

29. CAP_MKNOD

Code Listing 29.1: CAP_MKNOD

 CAP_MKNOD

Allow the privileged aspects of mknod().

30. CAP_LEASE

Code Listing 30.1: CAP_LEASE

 CAP_LEASE

Allow taking of leases on files.