Re: linux capabilities (was: Should openSUSE review it's Security Policies?)
Roger Oberholtzer wrote:
> On Thu, 2012-03-01 at 19:53 +0000, Jim Henderson wrote:
>> On Thu, 01 Mar 2012 14:52:43 +0100, Per Jessen wrote:
>> > Well, maybe start with "man capabilities". I think that is where I
>> > saw
>> > CAP_NET_BROADCAST mentioned. I have never played with any of this,
>> > but my understanding is that you can manage various capabilities on
>> > a
>> > per-process or per-user basis. I'm grasping at straws, but I'm
>> > sure somebody here will have an actual understanding of this.
>> From what I understand, kernel capabilities are disabled selectively
>> - you start a program as root and it has access to everything, and
>> then the program (perhaps also an external process can do this - that
>> I don't know) disables what the program shouldn't be allowed to do.
> The kernel does this. If the UID is 0 (root) some set of permissions
> are enabled. If not 0 (not running as root) a different default set
> are enabled. The 'capabilities' mechanism allows extension of what non
> 0 UID apps can do. The permissions, it seems, are stored in the file
> system along with the executable (see 'man capabilities'). So, I would
> imagine it requires either a specific file system, or that additional
> file system options be enabled. The man page is rather vague.
I think it requires extended attributes, that's all.
This has a good explanation (imo):
Thinking out loud:
Maybe you could run your third-party broadcasters from a little wrapper
that drops privileges & capabilities, except CAP_NET_BROADCAST? You'd
still need root to begin with, but the actual software would then run
That could be an option. The trick is to know all the privileges one now
has that are not needed. To miss any would be sloppy. It would be useful
to be able to set the privileges to a non root level and then add the
Thanks for the link. Always something new to learn.
OPQ Systems / Ramböll RST
Office: Int +46 10-615 60 20
Mobile: Int +46 70-815 1696
[hidden email] ________________________________________
Ramböll Sverige AB
P.O. Box 17009
SE-104 62 Stockholm, Sweden