next up previous contents
Next: Insight into the set Up: Privileges and permissions Previous: Filesystem permissions   Contents


Privileges

The privileges that can be granted or refused to an executable are a superset of the usual linux capabilities.

Indeed, to the usual linux capabilities2.1, we added some LIDS ones, for LIDS special features.

Thus, to the following ones :

CAP_CHOWN
chown/chgrp
CAP_DAC_OVERRIDE
DAC access
CAP_DAC_READ_SEARCH
DAC read
CAP_FOWNER
owner ID not equal user ID
CAP_FSETID
effective user ID not equal owner ID
CAP_KILL
real/effective ID not equal process ID
CAP_SETGID
setgid
CAP_SETUID
set*uid
CAP_SETPCAP
transfer capability
CAP_LINUX_IMMUTABLE
immutable and append file attributes
CAP_NET_BIND_SERVICE
binding to ports below 1024
CAP_NET_BROADCAST
broadcasting/listening to multicast
CAP_NET_ADMIN
interface/firewall/routing changes
CAP_NET_RAW
raw sockets
CAP_IPC_LOCK
locking of shared memory segments
CAP_IPC_OWNER
IPC ownership checks
CAP_SYS_MODULE
insertion and removal of kernel modules
CAP_SYS_RAWIO
ioperm/iopl access
CAP_SYS_CHROOT
chroot
CAP_SYS_PTRACE
ptrace
CAP_SYS_PACCT
configuration of process accounting
CAP_SYS_ADMIN
tons of admin stuff
CAP_SYS_BOOT
reboot
CAP_SYS_NICE
nice
CAP_SYS_RESOURCE
setting resource limits
CAP_SYS_TIME
setting system time
CAP_SYS_TTY_CONFIG
tty configuration

We add these ones :

LIDS_LFS_MASTER
can be a LFS2.2 master.
LIDS_UMOUNT
to unmount partitions
LIDS_UNKILLABLE
to be unkillable (god mode)
LIDS_KILL
to kill unkillable processes (hehe!)
LIDS_HIDE
to be hidden
LIDS_OUTLAW
to ignore permissions rules (ie everything that concern fs accesses)

The capabilities set a process is given is the union of the capabilities its parent have and can transmit and the capabilities set it is given in lids.conf (which can depend upon uid).

In addition there are some useful sets of capabilities, for a more efficient use :

FULL_SET
all the capabilities
EMPTY_SET
no capability at all
SET_ALL_CAPS
everything that begin with CAP
SET_NET
everything that begin with CAP_NET
SET_SYS
everything that begin with CAP_SYS
SET_IPC
everything that begin with CAP_IPC
SET_DAC
everything that begin with CAP_DAC

and other ones whose need will appear with the utilisation of LIDS.


next up previous contents
Next: Insight into the set Up: Privileges and permissions Previous: Filesystem permissions   Contents
Biondi Philippe 2000-12-15