[rsbac] Capabilities
Amon Ott
ao at rsbac.org
Tue May 4 16:25:21 CEST 2004
On Dienstag, 4. Mai 2004 16:08, Rob See wrote:
> I'm working on getting the backup script to run as a different user
> and I wanted to do it by assigning CAP_DAC_READ_SEARCH to whichever
> binaries need it to run correctly. I've tried assigning it in min caps
> for the script and the binaries and It still can't read all files and
> directories. Am I understanding the way capabilities work? It is true
> that by assigning minimum caps, they are assigned to the process even
> if it wouldn't normally have them ? Also, how does inheritance work
You must assign them directly to the program that does the access, e.g.
attr_set_file_dir. The easiest way here is to assign min_caps to the user,
not the programs. It does work this way and with an ls here.
> with capabilities ? Do they need to be assigned to each binary, or will
> assigning them to the parent process cause them to flow down ? Is there
There is no inheritance for CAP settings yet.
> any way to see what capabilities a process is running with ? Has
No, I have not (yet) implemented such a way.
> anybody else seen them work right with 2.6.5 ? Also, I've noticed that
> there is a capabilities LSM module. Does that need to be compiled for
> them to work correctly?
If you enabled LSM, you also need to select the capabilities, without LSM
they are compiled in as fixed code. The last time I checked, you could not
register an LSM module after the capabilities, because that code did not
support stacking.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list