277 lines
8.5 KiB
Groff
277 lines
8.5 KiB
Groff
.TH capabilities 4
|
|
.SH NAME
|
|
capabilities \- Capability Mechanism
|
|
.SH SYNOPSIS
|
|
\f3#include <sys/capability.h>\fP
|
|
.SH DESCRIPTION
|
|
The capability mechanism provides fine grained control over the
|
|
privileges of a process. As a process attribute, a capability allows
|
|
the process to perform a specific set of restricted operations,
|
|
without granting general override of the system's protection scheme.
|
|
A process can possess multiple capabilities. Collectively, all
|
|
defined capabilities comprise the set of abilities that are
|
|
traditionally associated with the root user.
|
|
.P
|
|
Defined capabilities are:
|
|
.TP
|
|
CAP_ACCT_MGT
|
|
Privilege to use accounting setup system calls, \f4acct\f1(2).
|
|
.TP
|
|
CAP_AUDIT_CONTROL
|
|
Privilege to manage the system audit trail (\f4sat_read\fP(2) and
|
|
\f4sat_write\fP(2) system calls).
|
|
.TP
|
|
CAP_AUDIT_WRITE
|
|
Privilege to write to the system audit trail, \f4sat_write\fP(2) system call.
|
|
.TP
|
|
CAP_CHOWN
|
|
Privilege to change the owner of a file not owned by the process when
|
|
the system is configured with _POSIX_CHOWN_RESTRICTED enabled.
|
|
.TP
|
|
CAP_CHROOT
|
|
Privilege to use the \f4chroot\f1(2) system call.
|
|
.TP
|
|
CAP_DAC_EXECUTE
|
|
Privilege to execute a file when the permissions or Access Control List
|
|
prohibit it.
|
|
.TP
|
|
CAP_DAC_READ_SEARCH
|
|
Privilege to read a file or search a directory when the permissions
|
|
or Access Control List prohibit it.
|
|
.TP
|
|
CAP_DAC_WRITE
|
|
Privilege to write a file or update a directory when the permissions
|
|
or Access Control List prohibit it.
|
|
.TP
|
|
CAP_DEVICE_MGT
|
|
Privilege to issue restricted device management calls and \f4ioctl\fP
|
|
actions.
|
|
.TP
|
|
CAP_FOWNER
|
|
Privilege to operate on a file as if the process owns it (e.g., change
|
|
permissions, ownership, access times, etc.).
|
|
.TP
|
|
CAP_FSETID
|
|
Privilege to set the setuid or setgid bits of a file without being the owner.
|
|
Also, the privilege to change the owner of a setuid or setgid file.
|
|
.TP
|
|
CAP_INF_DOWNGRADE
|
|
Not supported, silently ignored.
|
|
.TP
|
|
CAP_INF_NOFLOAT_OBJ
|
|
Not supported, silently ignored.
|
|
.TP
|
|
CAP_INF_NOFLOAT_SUBJ
|
|
Not supported, silently ignored.
|
|
.TP
|
|
CAP_INF_RELABEL_SUBJ
|
|
Not supported, silently ignored.
|
|
.TP
|
|
CAP_INF_UPGRADE
|
|
Not supported, silently ignored.
|
|
.TP
|
|
CAP_KILL
|
|
Privilege to send a signal to a process that is not owned by the sender.
|
|
Also, privilege to use process synchronization calls (\f4procblk\fP)
|
|
to a process.
|
|
.TP
|
|
CAP_LINK_DIR
|
|
Not supported.
|
|
.TP
|
|
CAP_MAC_DOWNGRADE
|
|
Privilege to change the MAC label of an object to a value that is dominated
|
|
by the previous label. (Only on systems with MAC enabled.)
|
|
.TP
|
|
CAP_MAC_MLD
|
|
Allows a process to change its own MAC label to a moldy label. A process
|
|
with a moldy label can view the hidden directory structure of a multilevel
|
|
directory. (Only on systems with MAC enabled.)
|
|
.TP
|
|
CAP_MAC_READ
|
|
Privilege to read information whose MAC label dominates that of the
|
|
reader. (Only on systems with MAC enabled.)
|
|
.TP
|
|
CAP_MAC_RELABEL_OPEN
|
|
Privilege to change the MAC label of an open file.
|
|
(Only on systems with MAC enabled.)
|
|
.TP
|
|
CAP_MAC_RELABEL_SUBJ
|
|
Allows a process to change its own MAC label.
|
|
(Only on systems with MAC enabled.)
|
|
.TP
|
|
CAP_MAC_UPGRADE
|
|
Privilege to change the MAC label of an object to a value that dominates
|
|
the previous label. (Only on systems with MAC enabled.)
|
|
.TP
|
|
CAP_MAC_WRITE
|
|
Privilege to write information whose MAC label does not equal that
|
|
of the writer. (Only on systems with MAC enabled.)
|
|
.TP
|
|
CAP_MEMORY_MGT
|
|
Privilege to issue restricted memory management calls, primarily memory
|
|
locking.
|
|
.TP
|
|
CAP_MKNOD
|
|
Alias for CAP_DEVICE_MGT.
|
|
.TP
|
|
CAP_MOUNT_MGT
|
|
Privilege to use the \f4mount\f1(2) and \f4unmount\f1(2) system calls.
|
|
.TP
|
|
CAP_NETWORK_MGT
|
|
Privilege to issue restricted networking calls (e.g., setting the network
|
|
interface MAC address, network interface device management, etc.).
|
|
.TP
|
|
CAP_NVRAM_MGT
|
|
Alias for CAP_SYSINFO_MGT.
|
|
.TP
|
|
CAP_PRIV_PORT
|
|
Privilege to open a \f4socket\f1 on a privileged TCP port.
|
|
.TP
|
|
CAP_PROC_MGT
|
|
Privilege to issue restricted process management calls.
|
|
.TP
|
|
CAP_QUOTA_MGT
|
|
Privilege to issue restricted quota management calls.
|
|
.TP
|
|
CAP_SCHED_MGT
|
|
Privilege to issue restricted scheduler calls, such as the real time
|
|
scheduler interfaces.
|
|
.TP
|
|
CAP_SETFCAP
|
|
Privilege to change the capability sets of a file.
|
|
.TP
|
|
CAP_SETGID
|
|
Allows a process to change its real GID, effective GID, saved GID,
|
|
and process group ID.
|
|
.TP
|
|
CAP_SETPCAP
|
|
Allows a process to change its capability sets.
|
|
.TP
|
|
CAP_SETUID
|
|
Allows a process to change its real, effective and saved UIDs.
|
|
.TP
|
|
CAP_SHUTDOWN
|
|
Privilege to shutdown or reboot the system.
|
|
.TP
|
|
CAP_SIGMASK
|
|
Not supported, silently ignored.
|
|
.TP
|
|
CAP_STREAMS_MGT
|
|
Privilege to use restricted STREAMS calls and operations.
|
|
.TP
|
|
CAP_SWAP_MGT
|
|
Privilege to use the \f4swap\fP(2) system call.
|
|
.TP
|
|
CAP_SYSINFO_MGT
|
|
Privilege to set system information (e.g., \f4hostname\fP values,
|
|
NVRAM values, etc.).
|
|
.TP
|
|
CAP_SVIPC_MGT
|
|
Not supported, silently ignored.
|
|
.TP
|
|
CAP_TIME_MGT
|
|
Privilege to set the system time.
|
|
.TP
|
|
CAP_XTCB
|
|
Identifies a trusted client to the X server (i.e. trusted path).
|
|
.P
|
|
A process has three, possibly empty, sets of capabilities. The
|
|
permitted capability set is the maximum set of capabilities for
|
|
the process. The effective capability set contains those
|
|
capabilities that are currently active for the process. The
|
|
inherited capability set contains those capabilities that the
|
|
process may pass to the next process image across \f4exec\fP(2).
|
|
.P
|
|
Only capabilities in a process' effective capability set allow
|
|
the process to perform restricted operations. A process may
|
|
use capability management functions to add or remove capabilities
|
|
from its effective capability set. However the capabilities
|
|
that a process can make effective are limited to those that
|
|
exist in its permitted capability set.
|
|
.P
|
|
Only capabilities in the process' inherited capability set can
|
|
be passed across \f4exec\fP(2).
|
|
.P
|
|
Capabilities are also associated with files.
|
|
There may or may not be a capability set associated with a specific
|
|
file. If a file has no capability set, execution of this
|
|
file through an \f4exec\fP(2) will leave the process' capability set
|
|
unchanged. If a file has a capability set, execution of file will
|
|
affect the process' capability set in the following way: a file's
|
|
inherited capability set further constrains the process inherited
|
|
capabilities that are passed from one process image to another.
|
|
The file's permitted capability set contains the
|
|
capabilities that are unconditionally permitted to a process
|
|
upon execution of that file. The file's effective capabilities
|
|
are the capabilities that become immediately active for the
|
|
process upon execution of the file.
|
|
.P
|
|
More precisely described, the process capability assignment
|
|
algorithm is:
|
|
|
|
.Ex
|
|
.nf
|
|
I-proc-new = I-proc-old & I-file
|
|
P-proc-new = P-file | (I-proc-new & P-proc-old)
|
|
E-proc-new = P-proc-new & E-file
|
|
.fi
|
|
.Ee
|
|
.P
|
|
File capabilities are supported only on XFS file systems.
|
|
.P
|
|
At the interface to the library routines, the capability sets
|
|
are represented in a
|
|
\f2struct cap_set\fP which is defined in \f2<sys/capability.h>\fP.
|
|
|
|
.Ex
|
|
.nf
|
|
typedef __uint64_t cap_value_t;
|
|
|
|
struct cap_set {
|
|
cap_value_t cap_effective; /* use in capability checks */
|
|
cap_value_t cap_permitted; /* combined with file attrs */
|
|
cap_value_t cap_inheritable;/* pass through exec */
|
|
};
|
|
typedef struct cap_set cap_set_t;
|
|
typedef struct cap_set * cap_t;
|
|
.fi
|
|
.Ee
|
|
|
|
Macros in \f4<sys/capability.h>\fP may be used to query, set or examine the
|
|
capability sets.
|
|
.SH EXTERNAL REPRESENTATION
|
|
The routines \f4cap_from_text\fP(3c) and \f4cap_to_text\fP(3c) do the
|
|
conversion between the internal structures and the external text form
|
|
of capabilities. The output of \f4cap_to_text\fP may be used in
|
|
\f4cap_from_text\fP to recreate the original capability sets.
|
|
.P
|
|
The text representation of capability sets is a string, which consists of
|
|
one or more capability lists. Each capability list has the form:
|
|
.ce
|
|
capname[,capname]OF
|
|
.br
|
|
where capname is a defined capability name (described above). The name
|
|
ALL indicates all capabilities.
|
|
.P
|
|
F is a sequence of one or more flags chosen from "e", "i", "p"
|
|
indicating which capability sets are to be affected. "e" indicates
|
|
the effective capability set, "p" indicates the permitted capability
|
|
set, and "i" indicates the inherited capability set.
|
|
.P
|
|
O is the operation chosen from "=", "+", "-", indicating to initialize,
|
|
add, or delete the specified capabilities in the affected capability
|
|
sets.
|
|
.P
|
|
The capability lists are interpreted sequentially.
|
|
.P
|
|
All characters from the symbol "#" to the end of the line are interpreted
|
|
as comments and are ignored.
|
|
.SH "SEE ALSO"
|
|
chcap(1),
|
|
cap_get_proc(3C),
|
|
cap_set_proc(3C),
|
|
cap_from_text(3C),
|
|
cap_to_text(3C),
|
|
capability(4),
|
|
dominance(5).
|