diff options
Diffstat (limited to 'man7/capabilities.7')
-rw-r--r-- | man7/capabilities.7 | 413 |
1 files changed, 212 insertions, 201 deletions
diff --git a/man7/capabilities.7 b/man7/capabilities.7 index ab9379978..8e8bfa154 100644 --- a/man7/capabilities.7 +++ b/man7/capabilities.7 @@ -72,9 +72,9 @@ Employ features that can block system suspend .TP .BR CAP_BPF " (since Linux 5.8)" Employ privileged BPF operations; see -.BR bpf (2) +.MR bpf 2 and -.BR bpf\-helpers (7). +.MR bpf\-helpers 7 . .IP This capability was added in Linux 5.8 to separate out BPF functionality from the overloaded @@ -89,12 +89,12 @@ capability. Update .I /proc/sys/kernel/ns_last_pid (see -.BR pid_namespaces (7)); +.MR pid_namespaces 7 ); .IP \[bu] employ the .I set_tid feature of -.BR clone3 (2); +.MR clone3 2 ; .\" FIXME There is also some use case relating to .\" prctl_set_mm_exe_file(); in the 5.9 sources, see .\" prctl_set_mm_map(). @@ -112,7 +112,7 @@ capability. .TP .B CAP_CHOWN Make arbitrary changes to file UIDs and GIDs (see -.BR chown (2)). +.MR chown 2 ). .TP .B CAP_DAC_OVERRIDE Bypass file read, write, and execute permission checks. @@ -126,10 +126,10 @@ Bypass file read permission checks and directory read and execute permission checks; .IP \[bu] invoke -.BR open_by_handle_at (2); +.MR open_by_handle_at 2 ; .IP \[bu] use the -.BR linkat (2) +.MR linkat 2 .B AT_EMPTY_PATH flag to create a link to a file referred to by a file descriptor. .RE @@ -142,15 +142,15 @@ flag to create a link to a file referred to by a file descriptor. Bypass permission checks on operations that normally require the filesystem UID of the process to match the UID of the file (e.g., -.BR chmod (2), -.BR utime (2)), +.MR chmod 2 , +.MR utime 2 ), excluding those operations covered by .B CAP_DAC_OVERRIDE and .BR CAP_DAC_READ_SEARCH ; .IP \[bu] set inode flags (see -.BR ioctl_iflags (2)) +.MR ioctl_iflags 2 ) on arbitrary files; .IP \[bu] set Access Control Lists (ACLs) on arbitrary files; @@ -164,9 +164,9 @@ extended attributes on sticky directory owned by any user; specify .B O_NOATIME for arbitrary files in -.BR open (2) +.MR open 2 and -.BR fcntl (2). +.MR fcntl 2 . .RE .PD .TP @@ -189,15 +189,17 @@ the filesystem or any of the supplementary GIDs of the calling process. .RS .IP \[bu] 3 Lock memory -.RB ( mlock (2), -.BR mlockall (2), -.BR mmap (2), -.BR shmctl (2)); +\%(\c +.MR mlock 2 , +.MR mlockall 2 , +.MR mmap 2 , +.MR shmctl 2 ); .IP \[bu] Allocate memory using huge pages -.RB ( memfd_create (2), -.BR mmap (2), -.BR shmctl (2)). +\%(\c +.MR memfd_create 2 , +.MR mmap 2 , +.MR shmctl 2 ). .RE .PD .TP @@ -206,9 +208,9 @@ Bypass permission checks for operations on System V IPC objects. .TP .B CAP_KILL Bypass permission checks for sending signals (see -.BR kill (2)). +.MR kill 2 ). This includes use of the -.BR ioctl (2) +.MR ioctl 2 .B KDSIGACCEPT operation. .\" FIXME . CAP_KILL also has an effect for threads + setting child @@ -219,7 +221,7 @@ operation. .TP .BR CAP_LEASE " (since Linux 2.4)" Establish leases on arbitrary files (see -.BR fcntl (2)). +.MR fcntl 2 ). .TP .B CAP_LINUX_IMMUTABLE Set the @@ -227,7 +229,7 @@ Set the and .B FS_IMMUTABLE_FL inode flags (see -.BR ioctl_iflags (2)). +.MR ioctl_iflags 2 ). .TP .BR CAP_MAC_ADMIN " (since Linux 2.6.25)" Allow MAC configuration or state changes. @@ -239,7 +241,7 @@ Implemented for the Smack LSM. .TP .BR CAP_MKNOD " (since Linux 2.4)" Create special files using -.BR mknod (2). +.MR mknod 2 . .TP .B CAP_NET_ADMIN Perform various network-related operations: @@ -263,7 +265,7 @@ set promiscuous mode; enabling multicasting; .IP \[bu] use -.BR setsockopt (2) +.MR setsockopt 2 to set the following socket options: .BR SO_DEBUG , .BR SO_MARK , @@ -301,7 +303,7 @@ Employ various performance-monitoring mechanisms, including: .IP \[bu] 3 .PD 0 call -.BR perf_event_open (2); +.MR perf_event_open 2 ; .IP \[bu] employ various BPF operations that have performance implications. .RE @@ -323,7 +325,7 @@ Make arbitrary manipulations of process GIDs and supplementary GID list; forge GID when passing socket credentials via UNIX domain sockets; .IP \[bu] write a group ID mapping in a user namespace (see -.BR user_namespaces (7)). +.MR user_namespaces 7 ). .PD .RE .TP @@ -333,7 +335,7 @@ Set arbitrary capabilities on a file. .\" commit db2e718a47984b9d71ed890eb2ea36ecf150de18 Since Linux 5.12, this capability is also needed to map user ID 0 in a new user namespace; see -.BR user_namespaces (7) +.MR user_namespaces 7 for details. .TP .B CAP_SETPCAP @@ -341,7 +343,7 @@ If file capabilities are supported (i.e., since Linux 2.6.24): add any capability from the calling thread's bounding set to its inheritable set; drop capabilities from the bounding set (via -.BR prctl (2) +.MR prctl 2 .BR PR_CAPBSET_DROP ); make changes to the .I securebits @@ -362,15 +364,16 @@ has entirely different semantics for such kernels.) .PD 0 .IP \[bu] 3 Make arbitrary manipulations of process UIDs -.RB ( setuid (2), -.BR setreuid (2), -.BR setresuid (2), -.BR setfsuid (2)); +\%(\c +.MR setuid 2 , +.MR setreuid 2 , +.MR setresuid 2 , +.MR setfsuid 2 ); .IP \[bu] forge UID when passing socket credentials via UNIX domain sockets; .IP \[bu] write a user ID mapping in a user namespace (see -.BR user_namespaces (7)). +.MR user_namespaces 7 ). .PD .RE .\" FIXME CAP_SETUID also an effect in exec(); document this. @@ -385,25 +388,25 @@ below. .RS .IP \[bu] 3 Perform a range of system administration operations including: -.BR quotactl (2), -.BR mount (2), -.BR umount (2), -.BR pivot_root (2), -.BR swapon (2), -.BR swapoff (2), -.BR sethostname (2), +.MR quotactl 2 , +.MR mount 2 , +.MR umount 2 , +.MR pivot_root 2 , +.MR swapon 2 , +.MR swapoff 2 , +.MR sethostname 2 , and -.BR setdomainname (2); +.MR setdomainname 2 ; .IP \[bu] perform privileged -.BR syslog (2) +.MR syslog 2 operations (since Linux 2.6.37, .B CAP_SYSLOG should be used to permit such operations); .IP \[bu] perform .B VM86_REQUEST_IRQ -.BR vm86 (2) +.MR vm86 2 command; .IP \[bu] access the same checkpoint/restore functionality that is governed by @@ -436,13 +439,13 @@ perform operations on and .I security extended attributes (see -.BR xattr (7)); +.MR xattr 7 ); .IP \[bu] use -.BR lookup_dcookie (2); +.MR lookup_dcookie 2 ; .IP \[bu] use -.BR ioprio_set (2) +.MR ioprio_set 2 to assign .B IOPRIO_CLASS_RT and (before Linux 2.6.25) @@ -455,17 +458,17 @@ exceed .IR /proc/sys/fs/file\-max , the system-wide limit on the number of open files, in system calls that open files (e.g., -.BR accept (2), -.BR execve (2), -.BR open (2), -.BR pipe (2)); +.MR accept 2 , +.MR execve 2 , +.MR open 2 , +.MR pipe 2 ); .IP \[bu] employ .B CLONE_* flags that create new namespaces with -.BR clone (2) +.MR clone 2 and -.BR unshare (2) +.MR unshare 2 (but, since Linux 3.8, creating user namespaces does not require any capability); .IP \[bu] @@ -474,7 +477,7 @@ access privileged event information; .IP \[bu] call -.BR setns (2) +.MR setns 2 (requires .B CAP_SYS_ADMIN in the @@ -482,51 +485,51 @@ in the namespace); .IP \[bu] call -.BR fanotify_init (2); +.MR fanotify_init 2 ; .IP \[bu] perform privileged .B KEYCTL_CHOWN and .B KEYCTL_SETPERM -.BR keyctl (2) +.MR keyctl 2 operations; .IP \[bu] perform -.BR madvise (2) +.MR madvise 2 .B MADV_HWPOISON operation; .IP \[bu] employ the .B TIOCSTI -.BR ioctl (2) +.MR ioctl 2 to insert characters into the input queue of a terminal other than the caller's controlling terminal; .IP \[bu] employ the obsolete -.BR nfsservctl (2) +.MR nfsservctl 2 system call; .IP \[bu] employ the obsolete -.BR bdflush (2) +.MR bdflush 2 system call; .IP \[bu] perform various privileged block-device -.BR ioctl (2) +.MR ioctl 2 operations; .IP \[bu] perform various privileged filesystem -.BR ioctl (2) +.MR ioctl 2 operations; .IP \[bu] perform privileged -.BR ioctl (2) +.MR ioctl 2 operations on the .I /dev/random device (see -.BR random (4)); +.MR random 4 ); .IP \[bu] install a -.BR seccomp (2) +.MR seccomp 2 filter without first having to set the .I no_new_privs thread attribute; @@ -534,12 +537,12 @@ thread attribute; modify allow/deny rules for device control groups; .IP \[bu] employ the -.BR ptrace (2) +.MR ptrace 2 .B PTRACE_SECCOMP_GET_FILTER operation to dump tracee's seccomp filters; .IP \[bu] employ the -.BR ptrace (2) +.MR ptrace 2 .B PTRACE_SETOPTIONS operation to suspend the tracee's seccomp protections (i.e., the .B PTRACE_O_SUSPEND_SECCOMP @@ -550,25 +553,25 @@ perform administrative operations on many device drivers; modify autogroup nice values by writing to .IR /proc/ pid /autogroup (see -.BR sched (7)). +.MR sched 7 ). .RE .PD .TP .B CAP_SYS_BOOT Use -.BR reboot (2) +.MR reboot 2 and -.BR kexec_load (2). +.MR kexec_load 2 . .TP .B CAP_SYS_CHROOT .RS .PD 0 .IP \[bu] 3 Use -.BR chroot (2); +.MR chroot 2 ; .IP \[bu] change mount namespaces using -.BR setns (2). +.MR setns 2 . .PD .RE .TP @@ -578,9 +581,9 @@ change mount namespaces using .IP \[bu] 3 Load and unload kernel modules (see -.BR init_module (2) +.MR init_module 2 and -.BR delete_module (2)); +.MR delete_module 2 ); .IP \[bu] before Linux 2.6.25: drop capabilities from the system-wide capability bounding set. @@ -592,24 +595,28 @@ drop capabilities from the system-wide capability bounding set. .RS .IP \[bu] 3 Lower the process nice value -.RB ( nice (2), -.BR setpriority (2)) +\%(\c +.MR nice 2 , +.MR setpriority 2 ) and change the nice value for arbitrary processes; .IP \[bu] set real-time scheduling policies for calling process, and set scheduling policies and priorities for arbitrary processes -.RB ( sched_setscheduler (2), -.BR sched_setparam (2), -.BR sched_setattr (2)); +\%(\c +.MR sched_setscheduler 2 , +.MR sched_setparam 2 , +.MR sched_setattr 2 ); .IP \[bu] set CPU affinity for arbitrary processes -.RB ( sched_setaffinity (2)); +\%(\c +.MR sched_setaffinity 2 ); .IP \[bu] set I/O scheduling class and priority for arbitrary processes -.RB ( ioprio_set (2)); +\%(\c +.MR ioprio_set 2 ); .IP \[bu] apply -.BR migrate_pages (2) +.MR migrate_pages 2 to arbitrary processes and allow processes to be migrated to arbitrary nodes; .\" FIXME CAP_SYS_NICE also has the following effect for @@ -620,40 +627,40 @@ to be migrated to arbitrary nodes; .\" Document this. .IP \[bu] apply -.BR move_pages (2) +.MR move_pages 2 to arbitrary processes; .IP \[bu] use the .B MPOL_MF_MOVE_ALL flag with -.BR mbind (2) +.MR mbind 2 and -.BR move_pages (2). +.MR move_pages 2 . .RE .PD .TP .B CAP_SYS_PACCT Use -.BR acct (2). +.MR acct 2 . .TP .B CAP_SYS_PTRACE .PD 0 .RS .IP \[bu] 3 Trace arbitrary processes using -.BR ptrace (2); +.MR ptrace 2 ; .IP \[bu] apply -.BR get_robust_list (2) +.MR get_robust_list 2 to arbitrary processes; .IP \[bu] transfer data to or from the memory of arbitrary processes using -.BR process_vm_readv (2) +.MR process_vm_readv 2 and -.BR process_vm_writev (2); +.MR process_vm_writev 2 ; .IP \[bu] inspect processes using -.BR kcmp (2). +.MR kcmp 2 . .RE .PD .TP @@ -664,18 +671,18 @@ inspect processes using Perform I/O port operations .RB ( iopl (2) and -.BR ioperm (2)); +.MR ioperm 2 ); .IP \[bu] access .IR /proc/kcore ; .IP \[bu] employ the .B FIBMAP -.BR ioctl (2) +.MR ioctl 2 operation; .IP \[bu] open devices for accessing x86 model-specific registers (MSRs, see -.BR msr (4)); +.MR msr 4 ); .IP \[bu] update .IR /proc/sys/vm/mmap_min_addr ; @@ -694,9 +701,9 @@ and perform various SCSI device commands; .IP \[bu] perform certain operations on -.BR hpsa (4) +.MR hpsa 4 and -.BR cciss (4) +.MR cciss 4 devices; .IP \[bu] perform a range of device-specific operations on other devices. @@ -710,13 +717,13 @@ perform a range of device-specific operations on other devices. Use reserved space on ext2 filesystems; .IP \[bu] make -.BR ioctl (2) +.MR ioctl 2 calls controlling ext3 journaling; .IP \[bu] override disk quota limits; .IP \[bu] increase resource limits (see -.BR setrlimit (2)); +.MR setrlimit 2 ); .IP \[bu] override .B RLIMIT_NPROC @@ -733,22 +740,22 @@ raise limit for a System V message queue above the limit in .I /proc/sys/kernel/msgmnb (see -.BR msgop (2) +.MR msgop 2 and -.BR msgctl (2)); +.MR msgctl 2 ); .IP \[bu] allow the .B RLIMIT_NOFILE resource limit on the number of "in-flight" file descriptors to be bypassed when passing file descriptors to another process via a UNIX domain socket (see -.BR unix (7)); +.MR unix 7 ); .IP \[bu] override the .I /proc/sys/fs/pipe\-size\-max limit when setting the capacity of a pipe using the .B F_SETPIPE_SZ -.BR fcntl (2) +.MR fcntl 2 command; .IP \[bu] use @@ -762,10 +769,10 @@ override and .I /proc/sys/fs/mqueue/msgsize_max limits when creating POSIX message queues (see -.BR mq_overview (7)); +.MR mq_overview 7 ); .IP \[bu] employ the -.BR prctl (2) +.MR prctl 2 .B PR_SET_MM operation; .IP \[bu] @@ -778,16 +785,17 @@ to a value lower than the value last set by a process with .TP .B CAP_SYS_TIME Set system clock -.RB ( settimeofday (2), -.BR stime (2), -.BR adjtimex (2)); +\%(\c +.MR settimeofday 2 , +.MR stime 2 , +.MR adjtimex 2 ); set real-time (hardware) clock. .TP .B CAP_SYS_TTY_CONFIG Use -.BR vhangup (2); +.MR vhangup 2 ; employ various privileged -.BR ioctl (2) +.MR ioctl 2 operations on virtual terminals. .TP .BR CAP_SYSLOG " (since Linux 2.6.37)" @@ -795,10 +803,10 @@ operations on virtual terminals. .PD 0 .IP \[bu] 3 Perform privileged -.BR syslog (2) +.MR syslog 2 operations. See -.BR syslog (2) +.MR syslog 2 for information on which operations require privilege. .IP \[bu] View kernel addresses exposed via @@ -809,7 +817,7 @@ has the value 1. (See the discussion of the .I kptr_restrict in -.BR proc (5).) +.MR proc 5 .) .PD .RE .TP @@ -902,19 +910,19 @@ capability in its effective set. .IP If a thread drops a capability from its permitted set, it can never reacquire that capability (unless it -.BR execve (2)s +.MR execve 2 s either a set-user-ID-root program, or a program whose associated file capabilities grant that capability). .TP .I Inheritable This is a set of capabilities preserved across an -.BR execve (2). +.MR execve 2 . Inheritable capabilities remain inheritable when executing any program, and inheritable capabilities are added to the permitted set when executing a program that has the corresponding bits set in the file inheritable set. .IP Because inheritable capabilities are not generally preserved across -.BR execve (2) +.MR execve 2 when running as a non-root user, applications that wish to run helper programs with elevated capabilities should consider using ambient capabilities, described below. @@ -926,7 +934,7 @@ perform permission checks for the thread. .IR Bounding " (per-thread since Linux 2.6.25)" The capability bounding set is a mechanism that can be used to limit the capabilities that are gained during -.BR execve (2). +.MR execve 2 . .IP Since Linux 2.6.25, this is a per-thread capability set. In older kernels, the capability bounding set was a system wide attribute @@ -939,13 +947,13 @@ below. .IR Ambient " (since Linux 4.3)" .\" commit 58319057b7847667f0c9585b9de0e8932b0fdb08 This is a set of capabilities that are preserved across an -.BR execve (2) +.MR execve 2 of a program that is not privileged. The ambient capability set obeys the invariant that no capability can ever be ambient if it is not both permitted and inheritable. .IP The ambient capability set can be directly modified using -.BR prctl (2). +.MR prctl 2 . Ambient capabilities are automatically lowered if either of the corresponding permitted or inheritable capabilities is lowered. .IP @@ -954,25 +962,25 @@ set-user-ID or set-group-ID bits or executing a program that has any file capabilities set will clear the ambient set. Ambient capabilities are added to the permitted set and assigned to the effective set when -.BR execve (2) +.MR execve 2 is called. If ambient capabilities cause a process's permitted and effective capabilities to increase during an -.BR execve (2), +.MR execve 2 , this does not trigger the secure-execution mode described in -.BR ld.so (8). +.MR ld.so 8 . .P A child created via -.BR fork (2) +.MR fork 2 inherits copies of its parent's capability sets. For details on how -.BR execve (2) +.MR execve 2 affects capabilities, see .I Transformation of capabilities during execve() below. .P Using -.BR capset (2), +.MR capset 2 , a thread may manipulate its own capability sets; see .I Programmatically adjusting capability sets below. @@ -988,11 +996,11 @@ that may be set in a capability set. .SS File capabilities Since Linux 2.6.24, the kernel supports associating capability sets with an executable file using -.BR setcap (8). +.MR setcap 8 . The file capability sets are stored in an extended attribute (see -.BR setxattr (2) +.MR setxattr 2 and -.BR xattr (7)) +.MR xattr 7 ) named .IR "security.capability" . Writing to this extended attribute requires the @@ -1001,7 +1009,7 @@ capability. The file capability sets, in conjunction with the capability sets of the thread, determine the capabilities of a thread after an -.BR execve (2). +.MR execve 2 . .P The three file capability sets are: .TP @@ -1013,30 +1021,31 @@ regardless of the thread's inheritable capabilities. This set is ANDed with the thread's inheritable set to determine which inheritable capabilities are enabled in the permitted set of the thread after the -.BR execve (2). +.MR execve 2 . .TP .IR Effective : This is not a set, but rather just a single bit. If this bit is set, then during an -.BR execve (2) +.MR execve 2 all of the new permitted capabilities for the thread are also raised in the effective set. If this bit is not set, then after an -.BR execve (2), +.MR execve 2 , none of the new permitted capabilities is in the new effective set. .IP Enabling the file effective capability bit implies that any file permitted or inheritable capability that causes a thread to acquire the corresponding permitted capability during an -.BR execve (2) +.MR execve 2 (see .I Transformation of capabilities during execve() below) will also acquire that capability in its effective set. Therefore, when assigning capabilities to a file -.RB ( setcap (8), -.BR cap_set_file (3), -.BR cap_set_fd (3)), +\%(\c +.MR setcap 8 , +.MR cap_set_file 3 , +.MR cap_set_fd 3 ), if we specify the effective flag as being enabled for any capability, then the effective flag must also be specified as enabled for all other capabilities for which the corresponding permitted or @@ -1137,7 +1146,8 @@ Note that the creation of a version 3 .I security.capability extended attribute is automatic. That is to say, when a user-space application writes -.RB ( setxattr (2)) +\%(\c +.MR setxattr 2 ) a .I security.capability attribute in the version 2 format, @@ -1146,7 +1156,8 @@ if the attribute is created in the circumstances described above. Correspondingly, when a version 3 .I security.capability attribute is retrieved -.RB ( getxattr (2)) +\%(\c +.MR getxattr 2 ) by a process that resides inside a user namespace that was created by the root user ID (or a descendant of that user namespace), the returned attribute is (automatically) @@ -1155,9 +1166,9 @@ simplified to appear as a version 2 attribute not include the root user ID). These automatic translations mean that no changes are required to user-space tools (e.g., -.BR setcap (1) +.MR setcap 1 and -.BR getcap (1)) +.MR getcap 1 ) in order for those tools to be used to create and retrieve version 3 .I security.capability attributes. @@ -1173,7 +1184,7 @@ created or modified. .\" .SS Transformation of capabilities during execve() During an -.BR execve (2), +.MR execve 2 , the kernel calculates the new capabilities of the process using the following algorithm: .P @@ -1197,11 +1208,11 @@ where: .TP P() denotes the value of a thread capability set before the -.BR execve (2) +.MR execve 2 .TP P'() denotes the value of a thread capability set after the -.BR execve (2) +.MR execve 2 .TP F() denotes a file capability set @@ -1212,14 +1223,14 @@ transformation rules: .IP \[bu] 3 The ambient capability set is present only since Linux 4.3. When determining the transformation of the ambient set during -.BR execve (2), +.MR execve 2 , a privileged file is one that has capabilities or has the set-user-ID or set-group-ID bit set. .IP \[bu] Prior to Linux 2.6.25, the bounding set was a system-wide attribute shared by all threads. That system-wide value was employed to calculate the new permitted set during -.BR execve (2) +.MR execve 2 in the same manner as shown above for .IR P(bounding) . .P @@ -1227,7 +1238,7 @@ in the same manner as shown above for during the capability transitions described above, file capabilities may be ignored (treated as empty) for the same reasons that the set-user-ID and set-group-ID bits are ignored; see -.BR execve (2). +.MR execve 2 . File capabilities are similarly ignored if the kernel was booted with the .I no_file_caps option. @@ -1235,12 +1246,12 @@ option. .IR Note : according to the rules above, if a process with nonzero user IDs performs an -.BR execve (2) +.MR execve 2 then any capabilities that are present in its permitted and effective sets will be cleared. For the treatment of capabilities when a process with a user ID of zero performs an -.BR execve (2), +.MR execve 2 , see .I Capabilities and execution of programs by root below. @@ -1248,7 +1259,7 @@ below. .SS Safety checking for capability-dumb binaries A capability-dumb binary is an application that has been marked to have file capabilities, but has not been converted to use the -.BR libcap (3) +.MR libcap 3 API to manipulate its capabilities. (In other words, this is a traditional set-user-ID-root program that has been switched to use file capabilities, @@ -1270,7 +1281,7 @@ occur is that the capability bounding set masked out some of the capabilities in the file permitted set.) If the process did not obtain the full set of file permitted capabilities, then -.BR execve (2) +.MR execve 2 fails with the error .BR EPERM . This prevents possible security risks that could arise when @@ -1278,7 +1289,7 @@ a capability-dumb application is executed with less privilege than it needs. Note that, by definition, the application could not itself recognize this problem, since it does not employ the -.BR libcap (3) +.MR libcap 3 API. .\" .SS Capabilities and execution of programs by root @@ -1310,13 +1321,13 @@ then the file effective bit is notionally defined to be one (enabled). These notional values for the file's capability sets are then used as described above to calculate the transformation of the process's capabilities during -.BR execve (2). +.MR execve 2 . .P Thus, when a process with nonzero UIDs -.BR execve (2)s +.MR execve 2 s a set-user-ID-root program that does not have capabilities attached, or when a process whose real and effective UIDs are zero -.BR execve (2)s +.MR execve 2 s a program, the calculation of the process's new permitted capabilities simplifies to: .P @@ -1368,11 +1379,11 @@ but confers no capabilities to that process. .SS Capability bounding set The capability bounding set is a security mechanism that can be used to limit the capabilities that can be gained during an -.BR execve (2). +.MR execve 2 . The bounding set is used in the following ways: .IP \[bu] 3 During an -.BR execve (2), +.MR execve 2 , the capability bounding set is ANDed with the file permitted capability set, and the result of this operation is assigned to the thread's permitted capability set. @@ -1382,13 +1393,13 @@ capabilities that may be granted by an executable file. (Since Linux 2.6.25) The capability bounding set acts as a limiting superset for the capabilities that a thread can add to its inheritable set using -.BR capset (2). +.MR capset 2 . This means that if a capability is not in the bounding set, then a thread can't add this capability to its inheritable set, even if it was in its permitted capabilities, and thereby cannot have this capability preserved in its permitted set when it -.BR execve (2)s +.MR execve 2 s a file that has the capability in its inheritable set. .P Note that the bounding set masks the file permitted capabilities, @@ -1409,12 +1420,12 @@ is a per-thread attribute. (The system-wide capability bounding set described below no longer exists.) .P The bounding set is inherited at -.BR fork (2) +.MR fork 2 from the thread's parent, and is preserved across an -.BR execve (2). +.MR execve 2 . .P A thread may remove capabilities from its capability bounding set using the -.BR prctl (2) +.MR prctl 2 .B PR_CAPBSET_DROP operation, provided it has the .B CAP_SETPCAP @@ -1422,7 +1433,7 @@ capability. Once a capability has been dropped from the bounding set, it cannot be restored to that set. A thread can determine if a capability is in its bounding set using the -.BR prctl (2) +.MR prctl 2 .B PR_CAPBSET_READ operation. .P @@ -1488,8 +1499,8 @@ To preserve the traditional semantics for transitions between the kernel makes the following changes to a thread's capability sets on changes to the thread's real, effective, saved set, and filesystem user IDs (using -.BR setuid (2), -.BR setresuid (2), +.MR setuid 2 , +.MR setresuid 2 , or similar): .IP \[bu] 3 If one or more of the real, effective, or saved set user IDs @@ -1505,7 +1516,7 @@ If the effective user ID is changed from nonzero to 0, then the permitted set is copied to the effective set. .IP \[bu] If the filesystem user ID is changed from 0 to nonzero (see -.BR setfsuid (2)), +.MR setfsuid 2 ), then the following capabilities are cleared from the effective set: .BR CAP_CHOWN , .BR CAP_DAC_OVERRIDE , @@ -1531,14 +1542,14 @@ securebits flag described below. .SS Programmatically adjusting capability sets A thread can retrieve and change its permitted, effective, and inheritable capability sets using the -.BR capget (2) +.MR capget 2 and -.BR capset (2) +.MR capset 2 system calls. However, the use of -.BR cap_get_proc (3) +.MR cap_get_proc 3 and -.BR cap_set_proc (3), +.MR cap_set_proc 3 , both provided in the .I libcap package, @@ -1579,7 +1590,7 @@ when it switches all of its UIDs to nonzero values. If this flag is not set, then such a UID switch causes the thread to lose all permitted capabilities. This flag is always cleared on an -.BR execve (2). +.MR execve 2 . .IP Note that even with the .B SECBIT_KEEP_CAPS @@ -1598,7 +1609,7 @@ flag is set. (The latter flag provides a superset of the effect of the former flag.) .IP This flag provides the same functionality as the older -.BR prctl (2) +.MR prctl 2 .B PR_SET_KEEPCAPS operation. .TP @@ -1615,14 +1626,14 @@ above. If this bit is set, then the kernel does not grant capabilities when a set-user-ID-root program is executed, or when a process with an effective or real UID of 0 calls -.BR execve (2). +.MR execve 2 . (See .I Capabilities and execution of programs by root above.) .TP .B SECBIT_NO_CAP_AMBIENT_RAISE Setting this flag disallows raising ambient capabilities via the -.BR prctl (2) +.MR prctl 2 .B PR_CAP_AMBIENT_RAISE operation. .P @@ -1640,7 +1651,7 @@ and The .I securebits flags can be modified and retrieved using the -.BR prctl (2) +.MR prctl 2 .B PR_SET_SECUREBITS and .B PR_GET_SECUREBITS @@ -1658,7 +1669,7 @@ The .I securebits flags are inherited by child processes. During an -.BR execve (2), +.MR execve 2 , all of the flags are preserved, except .B SECBIT_KEEP_CAPS which is always cleared. @@ -1691,7 +1702,7 @@ when executed by any process inside that namespace or any descendant user namespace. .P The rules about the transformation of the process's capabilities during the -.BR execve (2) +.MR execve 2 are exactly as described in .I Transformation of capabilities during execve() and @@ -1755,7 +1766,7 @@ or when executed by a process that resides in a descendant of such a namespace. .SS Interaction with user namespaces For further information on the interaction of capabilities and user namespaces, see -.BR user_namespaces (7). +.MR user_namespaces 7 . .SH STANDARDS No standards govern capabilities, but the Linux capability implementation is based on the withdrawn @@ -1764,7 +1775,7 @@ POSIX.1e draft standard .UE . .SH NOTES When attempting to -.BR strace (1) +.MR strace 1 binaries that have capabilities (or set-user-ID-root binaries), you may find the .I \-u <username> @@ -1804,13 +1815,13 @@ The package provides a suite of routines for setting and getting capabilities that is more comfortable and less likely to change than the interface provided by -.BR capset (2) +.MR capset 2 and -.BR capget (2). +.MR capget 2 . This package also provides the -.BR setcap (8) +.MR setcap 8 and -.BR getcap (8) +.MR getcap 8 programs. It can be found at .br @@ -1843,30 +1854,30 @@ capability removed from its per-process bounding set, and that bounding set is inherited by all other processes created on the system. .SH SEE ALSO -.BR capsh (1), -.BR setpriv (1), -.BR prctl (2), -.BR setfsuid (2), -.BR cap_clear (3), -.BR cap_copy_ext (3), -.BR cap_from_text (3), -.BR cap_get_file (3), -.BR cap_get_proc (3), -.BR cap_init (3), -.BR capgetp (3), -.BR capsetp (3), -.BR libcap (3), -.BR proc (5), -.BR credentials (7), -.BR pthreads (7), -.BR user_namespaces (7), +.MR capsh 1 , +.MR setpriv 1 , +.MR prctl 2 , +.MR setfsuid 2 , +.MR cap_clear 3 , +.MR cap_copy_ext 3 , +.MR cap_from_text 3 , +.MR cap_get_file 3 , +.MR cap_get_proc 3 , +.MR cap_init 3 , +.MR capgetp 3 , +.MR capsetp 3 , +.MR libcap 3 , +.MR proc 5 , +.MR credentials 7 , +.MR pthreads 7 , +.MR user_namespaces 7 , .BR captest (8), \" from libcap-ng .BR filecap (8), \" from libcap-ng -.BR getcap (8), -.BR getpcaps (8), +.MR getcap 8 , +.MR getpcaps 8 , .BR netcap (8), \" from libcap-ng .BR pscap (8), \" from libcap-ng -.BR setcap (8) +.MR setcap 8 .P .I include/linux/capability.h in the Linux kernel source tree |