mirror of https://github.com/mkerrisk/man-pages
capabilities.7: ffix
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
7c4dfcac5a
commit
ade303d700
|
@ -60,7 +60,7 @@ Privileged processes bypass all kernel permission checks,
|
|||
while unprivileged processes are subject to full permission
|
||||
checking based on the process's credentials
|
||||
(usually: effective UID, effective GID, and supplementary group list).
|
||||
|
||||
.PP
|
||||
Starting with kernel 2.2, Linux divides the privileges traditionally
|
||||
associated with superuser into distinct units, known as
|
||||
.IR capabilities ,
|
||||
|
@ -284,7 +284,7 @@ is not available when the kernel is configured to support
|
|||
file capabilities, since
|
||||
.B CAP_SETPCAP
|
||||
has entirely different semantics for such kernels.)
|
||||
|
||||
.IP
|
||||
If file capabilities are supported:
|
||||
add any capability from the calling thread's bounding set
|
||||
to its inheritable set;
|
||||
|
@ -318,7 +318,7 @@ write a user ID mapping in a user namespace (see
|
|||
this capability is overloaded; see
|
||||
.IR "Notes to kernel developers" ,
|
||||
below.
|
||||
|
||||
.IP
|
||||
.PD 0
|
||||
.RS
|
||||
.IP * 2
|
||||
|
@ -816,7 +816,7 @@ It is also a limiting superset for the capabilities that
|
|||
may be added to the inheritable set by a thread that does not have the
|
||||
.B CAP_SETPCAP
|
||||
capability in its effective set.
|
||||
|
||||
.IP
|
||||
If a thread drops a capability from its permitted set,
|
||||
it can never reacquire that capability (unless it
|
||||
.BR execve (2)s
|
||||
|
@ -847,12 +847,12 @@ This is a set of capabilities that are preserved across an
|
|||
of a program that is not privileged.
|
||||
The ambient capability set obeys the invariant that no capability
|
||||
can ever be ambient if it is not both permitted and inheritable.
|
||||
|
||||
.IP
|
||||
The ambient capability set can be directly modified using
|
||||
.BR prctl (2).
|
||||
Ambient capabilities are automatically lowered if either of
|
||||
the corresponding permitted or inheritable capabilities is lowered.
|
||||
|
||||
.IP
|
||||
Executing a program that changes UID or GID due to the
|
||||
set-user-ID or set-group-ID bits or executing a program that has
|
||||
any file capabilities set will clear the ambient set.
|
||||
|
@ -894,7 +894,7 @@ The file capability sets,
|
|||
in conjunction with the capability sets of the thread,
|
||||
determine the capabilities of a thread after an
|
||||
.BR execve (2).
|
||||
|
||||
.PP
|
||||
The three file capability sets are:
|
||||
.TP
|
||||
.IR Permitted " (formerly known as " forced ):
|
||||
|
@ -916,7 +916,7 @@ also raised in the effective set.
|
|||
If this bit is not set, then after an
|
||||
.BR execve (2),
|
||||
none of the new permitted capabilities is in the new effective set.
|
||||
|
||||
.IP
|
||||
Enabling the file effective capability bit implies
|
||||
that any file permitted or inheritable capability that causes a
|
||||
thread to acquire the corresponding permitted capability during an
|
||||
|
@ -938,9 +938,9 @@ During an
|
|||
.BR execve (2),
|
||||
the kernel calculates the new capabilities of
|
||||
the process using the following algorithm:
|
||||
.PP
|
||||
.in +4n
|
||||
.nf
|
||||
|
||||
P'(ambient) = (file is privileged) ? 0 : P(ambient)
|
||||
|
||||
P'(permitted) = (P(inheritable) & F(inheritable)) |
|
||||
|
@ -949,9 +949,9 @@ P'(permitted) = (P(inheritable) & F(inheritable)) |
|
|||
P'(effective) = F(effective) ? P'(permitted) : P'(ambient)
|
||||
|
||||
P'(inheritable) = P(inheritable) [i.e., unchanged]
|
||||
|
||||
.fi
|
||||
.in
|
||||
.PP
|
||||
where:
|
||||
.RS 4
|
||||
.IP P 10
|
||||
|
@ -968,14 +968,14 @@ is the value of the capability bounding set (described below).
|
|||
.PP
|
||||
A privileged file is one that has capabilities or
|
||||
has the set-user-ID or set-group-ID bit set.
|
||||
|
||||
.PP
|
||||
.IR Note :
|
||||
the capability transitions described above may
|
||||
.I not
|
||||
be performed (i.e., file capabilities may be ignored) for the same reasons
|
||||
that the set-user-ID and set-group-ID bits are ignored; see
|
||||
.BR execve (2).
|
||||
|
||||
.PP
|
||||
.IR Note :
|
||||
according to the rules above,
|
||||
if a process with nonzero user IDs performs an
|
||||
|
@ -1002,7 +1002,7 @@ so that the file permitted capabilities are automatically
|
|||
enabled in the process effective set when executing the file.
|
||||
The kernel recognizes a file which has the effective capability bit set
|
||||
as capability-dumb for the purpose of the check described here.
|
||||
|
||||
.PP
|
||||
When executing a capability-dumb binary,
|
||||
the kernel checks if the process obtained all permitted capabilities
|
||||
that were specified in the file permitted set,
|
||||
|
@ -1119,14 +1119,14 @@ The bounding set is accessible via the file
|
|||
(Confusingly, this bit mask parameter is expressed as a
|
||||
signed decimal number in
|
||||
.IR /proc/sys/kernel/cap-bound .)
|
||||
|
||||
.PP
|
||||
Only the
|
||||
.B init
|
||||
process may set capabilities in the capability bounding set;
|
||||
other than that, the superuser (more precisely: programs with the
|
||||
.B CAP_SYS_MODULE
|
||||
capability) may only clear capabilities from this set.
|
||||
|
||||
.PP
|
||||
On a standard system the capability bounding set always masks out the
|
||||
.B CAP_SETPCAP
|
||||
capability.
|
||||
|
@ -1135,7 +1135,7 @@ To remove this restriction (dangerous!), modify the definition of
|
|||
in
|
||||
.I include/linux/capability.h
|
||||
and rebuild the kernel.
|
||||
|
||||
.PP
|
||||
The system-wide capability bounding set feature was added
|
||||
to Linux starting with kernel version 2.2.11.
|
||||
.\"
|
||||
|
@ -1146,12 +1146,12 @@ From Linux 2.6.25, the
|
|||
.I "capability bounding set"
|
||||
is a per-thread attribute.
|
||||
(There is no longer a system-wide capability bounding set.)
|
||||
|
||||
.PP
|
||||
The bounding set is inherited at
|
||||
.BR fork (2)
|
||||
from the thread's parent, and is preserved across an
|
||||
.BR execve (2).
|
||||
|
||||
.PP
|
||||
A thread may remove capabilities from its capability bounding set using the
|
||||
.BR prctl (2)
|
||||
.B PR_CAPBSET_DROP
|
||||
|
@ -1164,7 +1164,7 @@ A thread can determine if a capability is in its bounding set using the
|
|||
.BR prctl (2)
|
||||
.B PR_CAPBSET_READ
|
||||
operation.
|
||||
|
||||
.PP
|
||||
Removing capabilities from the bounding set is supported only if file
|
||||
capabilities are compiled into the kernel.
|
||||
In kernels before Linux 2.6.33,
|
||||
|
@ -1184,7 +1184,7 @@ begins with a full bounding set minus
|
|||
.BR CAP_SETPCAP ,
|
||||
because this capability has a different meaning when there are
|
||||
no file capabilities.
|
||||
|
||||
.PP
|
||||
Removing a capability from the bounding set does not remove it
|
||||
from the thread's inherited set.
|
||||
However it does prevent the capability from being added
|
||||
|
@ -1338,7 +1338,7 @@ operations.
|
|||
The
|
||||
.B CAP_SETPCAP
|
||||
capability is required to modify the flags.
|
||||
|
||||
.PP
|
||||
The
|
||||
.I securebits
|
||||
flags are inherited by child processes.
|
||||
|
@ -1347,14 +1347,14 @@ During an
|
|||
all of the flags are preserved, except
|
||||
.B SECBIT_KEEP_CAPS
|
||||
which is always cleared.
|
||||
|
||||
.PP
|
||||
An application can use the following call to lock itself,
|
||||
and all of its descendants,
|
||||
into an environment where the only way of gaining capabilities
|
||||
is by executing a program with associated file capabilities:
|
||||
.PP
|
||||
.in +4n
|
||||
.nf
|
||||
|
||||
prctl(PR_SET_SECUREBITS,
|
||||
/* SECBIT_KEEP_CAPS off */
|
||||
SECBIT_KEEP_CAPS_LOCKED |
|
||||
|
@ -1383,7 +1383,7 @@ capabilities were an optional kernel component,
|
|||
and could be enabled/disabled via the
|
||||
.B CONFIG_SECURITY_CAPABILITIES
|
||||
kernel configuration option.
|
||||
|
||||
.PP
|
||||
The
|
||||
.I /proc/[pid]/task/TID/status
|
||||
file can be used to view the capability sets of a thread.
|
||||
|
@ -1397,7 +1397,7 @@ Since Linux 3.8,
|
|||
all nonexistent capabilities (above
|
||||
.BR CAP_LAST_CAP )
|
||||
are shown as disabled (0).
|
||||
|
||||
.PP
|
||||
The
|
||||
.I libcap
|
||||
package provides a suite of routines for setting and
|
||||
|
@ -1415,7 +1415,7 @@ It can be found at
|
|||
.br
|
||||
.UR http://www.kernel.org\:/pub\:/linux\:/libs\:/security\:/linux\-privs
|
||||
.UE .
|
||||
|
||||
.PP
|
||||
Before kernel 2.6.24, and from kernel 2.6.24 to kernel 2.6.32 if
|
||||
file capabilities are not enabled, a thread with the
|
||||
.B CAP_SETPCAP
|
||||
|
|
Loading…
Reference in New Issue