linux capability
2016-07-16 11:53
429 查看
一 capability集:
能力 作用 危险CAP_AUDIT_CONTROL: Control kernel auditing
CAP_AUDIT_READ: Read the audit log via a multicast netlink socket
CAP_AUDIT_WRITE: Write records to kernel audit log
CAP_BLOCK_SUSPEND: Can prevent the system from suspending
CAP_CHOWN: Change file user and group Yes
CAP_DAC_OVERRIDE: Bypass file permission checks Yes
CAP_DAC_READ_SEARCH: Read all files and directories Yes
CAP_FOWNER: Perform operations on files owned by other users such as chmod, chattr or utime Yes
CAP_FSETID: Keep suid and guid permissions when modifying a file Yes
CAP_IPC_LOCK: Lock memory (mlock, mlockall, mmap, shmctl)
CAP_IPC_OWNER: Bypass shared memory permission checks Yes
CAP_KILL: Send signals to any process
CAP_LEASE: Establish leases on any file
CAP_LINUX_IMMUTABLE: Make files immutable and remove ability append to file using chattr
CAP_MAC_ADMIN: Perform MAC administration (for Smack LSM) Yes
CAP_MAC_OVERRIDE: Override MAC (for Smack LSM) Yes
CAP_MKNOD: Create files using mknod()
CAP_NET_ADMIN: Perform network administration such as configuring interfaces or routing tables Yes
CAP_NET_BIND_SERVICE: Bind socket to privileged port (< 1024)
CAP_NET_BROADCAST: Make socket broadcasts and listen to multicasts
CAP_NET_RAW: Use RAW and PACKET sockets
CAP_SETGID: Change to any Group ID
CAP_SETFCAP: Set file capabilities Yes
CAP_SETPCAP: Set capabilities if file capabilities not present
CAP_SETUID: Change to any User ID
CAP_SYS_ADMIN: Perform privileged system administration operations such as mount, swapon, sethostname and keyctl.This capability in particular, can be used in multiple ways to gain
additional privileges. Yes
CAP_SYS_BOOT: Can reboot and kexec_load
CAP_SYS_CHROOT: Can chroot
CAP_SYS_MODULE: Can load and unload kernel modules
CAP_SYS_NICE: Change process priority levels and scheduling class (e.g. to real-time)
CAP_SYS_PACCT: Can use acct
CAP_SYS_PTRACE: ptrace any process Yes
CAP_SYS_RAWIO: Perform I/O port operations and access /proc/kcore. Override zero mmap restrictions.
CAP_SYS_RESOURCE: Set or override resource limits
CAP_SYS_TIME: Can set the system clock and real-time hardware clock
CAP_SYS_TTY_CONFIG: Can hang up the current tty
CAP_SYSLOG: Can configure the behavior of printk() to affect the kernel’s syslog
CAP_WAKE_ALARM: Can trigger something to wake the system
注意:不能版本内核可能会有些差异,有些是后面才增加的。
二 能力的传递
子进程capabilities 获得能力的方式有两种:a.从父进程继承;
b.从file capabilities,如果可执行文件设置了,和setuid和setgid类似可获得比父进程更大的能力集,file capabilities保存在XATTR中;
通过fork或clone创建的子进程:
permitted, effective 和 inheritable capabilities 跟父进程保持一致通过exec启动的进程:
a.如果设置了file capabilities,则子进程能力为:/*
* pP' = (X & fP) | (pI & fI)
*/
new->cap_permitted.cap[i] =
(new->cap_bset.cap[i] & permitted) |
(new->cap_inheritable.cap[i] & inheritable);
其中permitted和inheritable从file capabilities读取。
如果设置了file effective capability,则:
if (effective)
new->cap_effective = new->cap_permitted;
else
cap_clear(new->cap_effective);
b.如果没有设置file capabilities, 则从父进程继承能力的规则为:
父进程为root,则继承到的能力为:
if (new->euid == 0 || new->uid == 0) {
/* pP' = (cap_bset & ~0) | (pI & ~0) */
new->cap_permitted = cap_combine(old->cap_bset,
old->cap_inheritable);
}
即cap_bset | cap_inheritable;
如果父进程为非root,则子进程失去所有能力。
关于能力继承,不能版本内核处理也许会有所差异,这里只是v3.3.8的处理规则,具体的可以查看内核源代码:
prepare_binprm()---------->security_bprm_set_creds()------------->cap_bprm_set_creds()
file capabilities 的开启:
a.确保kernel支持;
b.设置执行文件:setcap cap_sys_nice+pe myapp
相关文章推荐
- Linux socket 初步
- Linux Kernel 4.0 RC5 发布!
- linux lsof详解
- linux 文件权限
- Linux 执行数学运算
- 10 篇对初学者和专家都有用的 Linux 命令教程
- Linux 与 Windows 对UNICODE 的处理方式
- Ubuntu12.04下QQ完美走起啊!走起啊!有木有啊!
- 解決Linux下Android开发真机调试设备不被识别问题
- 运维入门
- 运维提升
- Linux 自检和 SystemTap
- Ubuntu Linux使用体验
- c语言实现hashmap(转载)
- Linux 信号signal处理机制
- linux下mysql添加用户
- Scientific Linux 5.5 图形安装教程
- Linux 下无损图片压缩小工具介绍