Re: ANN: capwrap - grant capabilities to executables
H. Peter Anvin (hpa@zytor.com)
17 Mar 2002 14:25:12 -0800
Followup to: <20020317121118.A18548@glacier.arctrix.com>
By author: Neil Schemenauer <nas@python.ca>
In newsgroup: linux.dev.kernel
>
> I've written a small moduleš that enables the use of Linux capabilities
> on filesystems that do not support them. It is similar in spirit to ELF
> capabilities hack˛ but is not specific to the ELF executable format and
> is implemented as separate kernel module.
>
> To grant capabilities to an executable, a small wrapper file is created
> that includes the path to an executable followed a capability set
> written in hexadecimal. When this file is executed by the kernel, the
> executable is granted the specified capabilities. The wrapper file must
> be owned by root and have the SUID bit set.
>
> For example, to remove the SUID bit on the ping program while retaining
> its functionality:
>
> # chmod -s /bin/ping
> # mv /bin/ping /bin/ping_real
> # echo '&/bin/ping_real 2000' > /bin/ping
> # chmod +xs /bin/ping
>
Why not just do this with a small program if you're doing setuid
anyway?
-hpa
--
<hpa@transmeta.com> at work, <hpa@zytor.com> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt <amsp@zytor.com>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/