Re: Posix capabilities

Andreas Gruenbacher (agruen@suse.de)
Sun, 27 Oct 2002 14:46:24 +0100


On Sunday 20 October 2002 16:16, Pavel Machek wrote:
> Hi!
>
> > > Ah, ok... I thought that things work like this: the capabilities
> > > support already is in the kernel, and to give an app a particular
> > > capability, one has to add a particalar extended attribute to the
> > > application executable. So I'm wrong here it seems?
> >
> > First of all, you can't use a standard user extended attribute, since
> > anyone with write access to the file will be allowed to set the
> > extended attribute. This isn't good if you're going to be granting
>
> What are extended attributes good for, then?

Extended attributes support different namespaces, like user.* and system.*.
The user.* namespace is treaded similarly to the file contents permission
wise, so users can associate attributes with files. Things like ACLs,
Capabilities, etc. are intended to be added to the system.* namespace. They
differ from user.* in that they require different permissions/capabilities
from the calling process.

ACLs are named system.posix_acl_access and system.posix_acl_default.
Capabilities could be named system.posix_caps, for example.

You can look this all up in the attr(5) manual page at
<http://acl.bestbits.at/cgi-man/attr.5>.

--Andreas.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/