拾遗:『Linux Capability』

时间:2023-03-09 10:06:14
拾遗:『Linux Capability』

『Linux Capability』

  For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero).

  Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

  Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabili‐ties, which can be independently enabled and disabled. Capabilities are a per-thread attribute.


拾遗:『Linux Capability』

拾遗:『Linux Capability』


拾遗:『Linux Capability』


  • cap_effective:当一个进程将执行某项特权操作时,操作系统会检查cap_effective中对应位是否有效,而不再检查进程euid是否为0
  • cap_permitted:表示进程实际能够使用的能力,在cap_permitted中可以包含cap_effective中没有的能力
  • cap_inheritable表示能够被目标程序启动的子进程继承的能力


root # find / -perm /
root # find / -perm /

『应用示例 一』


  /* CAP_NET_RAW:use RAW and PACKET sockets;bind to any address for transparent proxying */

root # chown u-s /bin/ping
root # setcap CAP_NET_RAW+ep /bin/ping
root # getcap /bin/ping
/bin/ping = cap_net_raw+ep

『应用示例 二』


root # setcap CAP_NET_RAW+ep /usr/sbin/iftop

『应用示例 三』


root # setcap cap_dac_read_search,cap_sys_tty_config+ep /usr/bin/chvt