POSIX file capabilities: Parceling the power of root    Monday, December 24 2007 @ 03:55 AM EST Contributed by: sde Linux® has been using capabilities for years, but has recently acquired POSIX file capabilities. POSIX file capabilities split root user powers into smaller privileges, such as the ability to read files or to trace processes owned by another user. By assigning capabilities to a file, you can enable an unprivileged user to execute the file with those specified privileges. In this article, learn how to program using capabilities and how to switch on the ability of your system setuid root binaries to use file capabilities. Some programs need to perform privileged operations on behalf of an unprivileged user. For instance, the passwd program writes to the very sensitive /etc/passwd and /etc/shadow files. On UNIX® systems, you achieve this control by setting the setuid bit on the binary file. This bit tells the system that while the program is running -- regardless of who executed it -- it should be treated as belonging to the user who owns the file, typically the root user. Because the passwd program cannot be written to by the user, and is very constrained in what it allows the user to do, this setup is usually safe. More complicated programs make use of saved uids to switch back and forth between root and a non-root user. Read more   [ Views: 1122 ]

POSIX file capabilities: Parceling the power of root | 0 comments | Create New Account

Newest First Oldest First Flat Nested No Comments Threaded

The following comments are owned by whoever posted them. This site is not responsible for what they say.

No user comments.