--- Bill O'Donnell <[EMAIL PROTECTED]> wrote: > ... That said, can one expect, through > the use of these enhanced capabilities, > to be able to add some finer grain > capabilities based on a specific userid?
POSIX capabilities are explictly disjoint from userids in the kernel, and this is by design. You could provide limited capability sets to users at the application layer. > In Chris' ping example, > the suid is removed from /bin/ping to restrict it to > root, and a > capability added to allow any user to execute it. > Can that example > be extended to make it so only a _particular_ user > can execute it? Give the file the capability and set an ACL that allows only that user execute access. > I realize with SELinux, one could achieve the goal, > but as a stopgap, > can capabilities be used to get there? Certainly, as above. > Thanks, > Bill > > -- > Bill O'Donnell > SGI Have a look in /etc/irix.cap on a Trix box some time. I suspect there might be one in your facility. Casey Schaufler [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
