[prev in list] [next in list] [prev in thread] [next in thread]
List: sg-dc
Subject: Re: [sg-dc] posix capabilities in linux?
From: Michael Stone <mstone+sgdd () mathom ! us>
Date: 2009-11-20 17:27:26
Message-ID: 88ada836-d5f8-11de-9b6a-001cc0cda50c () msgid ! mathom ! us
[Download RAW message or body]
On Fri, Nov 20, 2009 at 11:49:34AM -0500, Allon Stern wrote:
>On Nov 20, 2009, at 11:34 AM, Michael Stone wrote:
>> capsh --keep=1 --uid=202 --caps=cap_sys_time=eip --print
>>
>> But that won't get you all the way there.
>
>Why? Why doesn't it? Is it because exec will drop the privs?
Because the effective capabilities are the intersection of the process &
file capability sets.
>Yeah, that's where I was headed, as soon as I get extended attributes
>turned on in ubifs (for testing).
>Will a tmpfs have extended attributes? This executable is actually
>going to exist in tmpfs.
Hmm. I don't know that tmpfs supports capabilities. (It doesn't seem to
on my system, but there might be config options.) There were (once upon
a time) patches to set a default capability set on a mount point, but I
don't know that any of those are still maintained.
Mike Stone
_______________________________________________
sg-dc mailing list
sg-dc@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/sg-dc
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic