ANN: capwrap - grant capabilities to executables

Neil Schemenauer (nas@python.ca)
Sun, 17 Mar 2002 12:11:18 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Richard Gooch: "Re: fadvise syscall?"
Previous message: Miles Lane: "2.5.7-pre2 -- Error seeking in /dev/kmem"
Next in thread: H. Peter Anvin: "Re: ANN: capwrap - grant capabilities to executables"
Reply: H. Peter Anvin: "Re: ANN: capwrap - grant capabilities to executables"

I've written a small moduleš that enables the use of Linux capabilities
on filesystems that do not support them. It is similar in spirit to ELF
capabilities hack˛ but is not specific to the ELF executable format and
is implemented as separate kernel module.

To grant capabilities to an executable, a small wrapper file is created
that includes the path to an executable followed a capability set
written in hexadecimal. When this file is executed by the kernel, the
executable is granted the specified capabilities. The wrapper file must
be owned by root and have the SUID bit set.

For example, to remove the SUID bit on the ping program while retaining
its functionality:

# chmod -s /bin/ping
# mv /bin/ping /bin/ping_real
# echo '&/bin/ping_real 2000' > /bin/ping
# chmod +xs /bin/ping

Comments welcome.

Neil

š http://arctrix.com/nas/linux/capwrap.tar.gz
˛ http://atrey.karlin.mff.cuni.cz/~pavel/elfcap.html
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Richard Gooch: "Re: fadvise syscall?"
Previous message: Miles Lane: "2.5.7-pre2 -- Error seeking in /dev/kmem"
Next in thread: H. Peter Anvin: "Re: ANN: capwrap - grant capabilities to executables"
Reply: H. Peter Anvin: "Re: ANN: capwrap - grant capabilities to executables"