diff options
Diffstat (limited to 'man7/capabilities.7')
-rw-r--r-- | man7/capabilities.7 | 402 |
1 files changed, 402 insertions, 0 deletions
diff --git a/man7/capabilities.7 b/man7/capabilities.7 new file mode 100644 index 000000000..deb3c380c --- /dev/null +++ b/man7/capabilities.7 @@ -0,0 +1,402 @@ +.\" Copyright (c) 2002 by Michael Kerrisk (mtk16@ext.canterbury.ac.nz) +.\" +.\" Permission is granted to make and distribute verbatim copies of this +.\" manual provided the copyright notice and this permission notice are +.\" preserved on all copies. +.\" +.\" Permission is granted to copy and distribute modified versions of this +.\" manual under the conditions for verbatim copying, provided that the +.\" entire resulting derived work is distributed under the terms of a +.\" permission notice identical to this one. +.\" +.\" Since the Linux kernel and libraries are constantly changing, this +.\" manual page may be incorrect or out-of-date. The author(s) assume no +.\" responsibility for errors or omissions, or for damages resulting from +.\" the use of the information contained herein. +.\" +.\" Formatted or processed versions of this manual, if unaccompanied by +.\" the source, must acknowledge the copyright and authors of this work. +.\" License. +.\" +.\" 6 Aug 2002 - Initial Creation +.\" Modified 2003-05-23, Michael Kerrisk, <mtk16@ext.canterbury.ac.nz> +.\" Modified 2004-05-27, Michael Kerrisk, <mtk16@ext.canterbury.ac.nz> +.\" +.\" +.TH CAPABILITIES 7 2004-05-27 "Linux 2.6.6" "Linux Programmer's Manual" +.SH NAME +capabilities \- overview of Linux capabilities +.SH DESCRIPTION + +For the purpose of performing permission checks, +traditional Unix implementations distinguish two categories of processes: +.I privileged +processes (whose effective user ID is 0, referred to as superuser or root), +and +.I unprivileged +processes (whose effective UID is non-zero). +Privileged processes bypass all kernel permission checks, +while unprivileged processes are subject to full permission +checking based on the process's credentials +(usually: effective UID, effective GID, and supplementary group list). + +Starting with kernel 2.2, Linux provides an +(as yet incomplete) system of +.IR capabilities , +which divide the privileges traditionally associated with superuser +into distinct units that can be independently enabled and disabled. +.SS Capabilities List + +As at Linux 2.6.6, the following capabilities are implemented: +.TP +.B CAP_CHOWN +Allow arbitrary changes to file UIDs and GIDs (see +.BR chown (2)). +.TP +.B CAP_DAC_OVERRIDE +Bypass file read, write, and execute permission checks. +(DAC = "discretionary access control".) +.TP +.B CAP_DAC_READ_SEARCH +Bypass file read permission checks and +directory read and execute permission checks. +.TP +.B CAP_FOWNER +Bypass permission checks on operations that normally +require the file system UID of the process to match the UID of +the file (e.g., +.BR chmod (2), +.BR utime (2)), +excluding those operations covered by the +.B CAP_DAC_OVERRIDE +and +.BR CAP_DAC_READ_SEARCH ; +set extended file attributes (see +.BR chattr (1)) +on arbitrary files; +set Access Control Lists (ACLs) on arbitrary files; +ignore directory sticky bit on file deletion. +.TP +.B CAP_FSETID +Don't clear set-user-ID and set-group-ID bits when a file is modified; +permit setting of the set-group-ID bit for a file whose GID does not match +the file system or any of the supplementary GIDs of the calling process. +.TP +.B CAP_IPC_LOCK +Permit memory locking +.RB ( mlock (2), +.BR mlockall (2), +.BR mmap (2), +.BR shmctl (2)). +.TP +.B CAP_IPC_OWNER +Bypass permission checks for operations on System V IPC objects. +.TP +.B CAP_KILL +Bypass permission checks for sending signals (see +.BR kill (2)). +This includes use of the KDSIGACCEPT ioctl. +.\" FIXME: CAP_KILL also an effect for threads + setting child +.\" termination signal to other than SIGCHLD +.TP +.B CAP_LEASE +(Linux 2.4 onwards) Allow file leases to be established on +arbitrary files (see +.BR fcntl (2)). +.TP +.B CAP_LINUX_IMMUTABLE +Allow setting of the +.B EXT2_APPEND_FL +and +.B EXT2_IMMUTABLE_FL +.\" These attributes are now available on ext2, ext3, Reiserfs +extended file attributes (see +.BR chattr (1)). +.TP +.B CAP_MKNOD +(Linux 2.4 onwards) +Allow creation of special files using +.BR mknod (2). +.TP +.B CAP_NET_ADMIN +Allow various network-related operations +(e.g., setting privileged socket options, +enabling multicasting, interface configuration, +modifying routing tables). +.TP +.B CAP_NET_BIND_SERVICE +Allow binding to Internet domain reserved socket ports +(port numbers less than 1024). +.TP +.B CAP_NET_BROADCAST +(Unused) Allow socket broadcasting, and listening multicasts. +.TP +.B CAP_NET_RAW +Permit use of RAW and PACKET sockets. +.\" Also various IP options and setsockopt(SO_BINDTODEVICE) +.TP +.B CAP_SETGID +Allow arbitrary manipulations of process GIDs and supplementary GID list; +allow forged GID when passing socket credentials via Unix domain sockets. +.TP +.B CAP_SETPCAP +Grant or remove any capability in the caller's +permitted capability set to or from any other process. +.TP +.B CAP_SETUID +Allow arbitrary manipulations of process UIDs +.RB ( setuid (2), +.BR setreuid (2), +.BR setresuid (2), +.BR setfsuid (2)); +allow forged UID when passing socket credentials via Unix domain sockets. +.\" FIXME: CAP_SETUID also an effect in exec() +.TP +.B CAP_SYS_ADMIN +Permit a range of system administration operations including: +.BR quotactl (2), +.BR mount (2), +.BR umount (2), +.BR swapon (2) , +.BR swapoff (2) , +.BR sethostname (2), +.BR setdomainname (2), +.B IPC_SET +and +.B IPC_RMID +operations on arbitrary System V IPC objects; +perform operations on +.I trusted +and +.I security +Extended Attributes (see +.BR attr (5)); +allow forged UID when passing socket credentials; +exceed +.I /proc/sys/fs/file-max +limit in system calls that open files (e.g., +.BR accept (2), +.BR execve (2), +.BR open (2), +.BR pipe (2)) +.TP +.B CAP_SYS_BOOT +Permit calls to +.BR reboot (2). +.TP +.B CAP_SYS_CHROOT +Permit calls to +.BR chroot (2). +.TP +.B CAP_SYS_MODULE +Allow loading and unloading of kernel modules; +allow modifications to capability bounding set (see +.BR init_module (2) +and +.BR delete_module (2)). +.TP +.B CAP_SYS_NICE +Allow raising process nice value +.RB ( nice (2), +.BR setpriority (2)) +and changing of the nice value for arbitrary processes; +allow setting of real-time scheduling policies for calling process, +and setting scheduling policies and priorities for arbitrary processes +.RB ( sched_setscheduler (2), +.BR sched_setparam (2)); +set CPU affinity for arbitrary processes +.RB ( sched_setaffinity ()). +.TP +.B CAP_SYS_PACCT +Permit calls to +.BR acct (2). +.TP +.B CAP_SYS_PTRACE +Allow arbitrary processes to be traced using +.BR ptrace (2) +.TP +.B CAP_SYS_RAWIO +Permit I/O port operations +.RB ( iopl (2) +and +.BR ioperm (2)); +access +.IT /proc/kcore . +.TP +.B CAP_SYS_RESOURCE +Permit: use of reserved space on ext2 file systems; +.BR ioctl (2) +calls controlling ext3 journaling; +disk quota limits to be overridden; +resource limits to be increased (see +.BR setrlimit (2)); +.B RLIMIT_NPROC +resource limit to be overridden; +.I msg_qbytes +limit for a message queue to be +raised above the limit in +.IR /proc/sys/kernel/msgmnb +(see +.BR msgop (2) +and +.BR msgctl (2). +.TP +.B CAP_SYS_TIME +Allow modification of system clock +.RB ( settimeofday (2), +.BR stime (2), +.BR adjtimex (2)); +allow modification of real-time (hardware) clock +.TP +.B CAP_SYS_TTY_CONFIG +Permit calls to +.BR vhangup (2). +.SS Process Capabilities +Each process has three capability sets containing zero or more +of the above capabilities: +.TP +.IR Effective : +the capabilities used by the kernel to +perform permission checks for the process. +.TP +.IR Permitted : +the capabilities that the process may assume +(i.e., a limiting superset for the effective and inheritable sets). +If a process drops a capability from its permitted set, +it can never re-acquire that capability (unless it execs a +set-UID-root program). +.TP +.IR Inherited : +the capabilities preserved across an +.BR execve (2). +.PP +In the current implementation, a process is granted all permitted and +effective capabilities (subject to the operation of the +capability bounding set described below) +when it execs a set-UID-root program, +or if a process with a real UID of zero execs a new program. +.PP +A child created via +.BR fork (2) +inherits copies of its parent's capability sets. +.PP +Using +.BR capset (2), +a process may manipulate its own capability sets, or, if it has the +.B CAP_SETPCAP +capability, those of another process. + +.SS Capability bounding set +When a program is execed, the permitted and effective capabities are ANDed +with the current value of the so-called +.IR "capability bounding set" , +defined in the file +.IR /proc/sys/kernel/cap-bound . +This parameter can be used to place a system-wide limit on the +capabilities granted to all subsequently executed programs. +(Confusingly, this bit mask parameter is expressed as a +signed decimal number in +.IR /proc/sys/kernel/cap-bound .) + +Only the +.B init +process may set bits in the capability bounding set; +other than that, the superuser may only clear bits in this set. + +On a standard system the capability bounding set always masks out the +.B CAP_SETPCAP +capability. +To remove this restriction, modify the definition of +.B CAP_INIT_EFF_SET +in +.I include/linux/capability.h +and rebuild the kernel. + +.SS Current and Future Implementation +A full implementation of capabilities requires: +.IP 1. 4 +that for all privileged operations, +the kernel check whether the process has the required +capability in its effective set. +.IP 2. 4 +that the kernel provide +system calls allowing a process's capability sets to +be changed and retrieved. +.IP 3. 4 +file system support for attaching capabilities to an executable file, +so that a process gains those capabilities when the file is execed. +.PP +As at Linux 2.6.6, only the first two of these requirements are met. + +Eventually, it should be possible to associate three +capability sets with an executable file, which, +in conjunction with the capability sets of the process, +will determine the capabilities of a process after an +.IR exec : +.TP +.IR Allowed : +this set is ANDed with the process's inherited set to determine which +inherited capabilities are permitted to the process after the exec. +.TP +.IR Forced : +the capabilities automatically permitted to the process, +regardless of the process's inherited capabilities. +.TP +.IR Effective : +those capabilities in the process's new permitted set are +also to be set in the new effective set. +(F(effective) would normally be either all zeroes or all ones.) +.PP +In the meantime, since the current implementation does not +support file capability sets, during an exec: +.IP 1. 4 +All three file capability sets are initially assumed to be cleared. +.IP 2. 4 +If a set-UID-root program is being execed, +or the real user ID of the process is 0 (root) +then the file allowed and forced sets are defined to be all ones +(i.e., all capabilities set). +.IP 3. 4 +If a set-UID-root program is being executed, +then the file effective set is defined to be all ones. +.PP +During an exec, the kernel calculates the new capabilities of +the process using the following algorithm: +.in +4 +.nf + +P'(permitted) = (P(inherited) & F(allowed)) | (F(forced) & cap_bset) + +P'(effective) = P'(permitted) & F(effective) + +P'(inherited) = P(inherited) [i.e., unchanged] + +.fi +.in -4 +where: +.IP P 10 +denotes the value of a process capability set before the exec +.IP P' 10 +denotes the value of a capability set after the exec +.IP F 10 +denotes a file capability set +.IP cap_bset 10 +is the value of the capability bounding set. +.SH NOTES +The +.I libcap +package provides a suite of routines for setting and +getting process capabilities that is more comfortable and less likely +to change than the interface provided by +.BR capset (2) +and +.BR capget (2). +.SH "CONFORMING TO" +No standards govern capabilities, but the Linux capability implementation +is based on the withdrawn POSIX 1003.1e draft standard. +.SH BUGS +There is as yet no file system support allowing capabilities to be +associated with executable files. +.SH "SEE ALSO" +.BR capget (2), +.BR prctl (2) |