Jim Breton wrote: > Are there are good resources which provide details on how to take > advantage of the kernel's capabilities? I've installed lcap, setpcap, > and friends but am surprised at how little documentation I've been able > to find (maybe I'm looking in the wrong place).
Yeah, I noticed that too back when I started fiddling with caps. So I wrote a paper on it ;) http://linux.com/security/newsitem.phtml?sid=11&aid=4693 You might also want to look at http://kernelnotes.org/lnxlists/linux-kernel/lk_0006_02/ in regard to the capabilities+sendmail exploit that was posted to bugtraq. The official fix to the kernel broke capabilities, however Joe Gooch posted a working patch to the kernel to close the exploit and still allow caps to work. > Why am I unable to give some caps to a process, and not others? And why > am I unable to preserve caps through a uid change with sucap? > Thanks for any help/pointers to docs/etc.. I would really like to get > this going (mainly to run some daemons that must bind to low ports as > non-root) but it's extremely difficult to find any assistance on this. These two areas are covered in the paper, with sample code too :] Feel free to send me questions. The link in the paper that points to a modified libcap is broken at the moment. Instead use http://boboshrimps.linuxos.org/~zeppelin/box/ Hope that helps, Jim Hewlett
