Next: Insight into the set
Up: Privileges and permissions
Previous: Filesystem permissions
Contents
Privileges
The privileges that can be granted or refused to an executable are a
superset of the usual linux capabilities.
Indeed, to the usual linux capabilities2.1, we added some LIDS ones, for LIDS
special features.
Thus, to the following ones :
- CAP_CHOWN
- chown/chgrp
- CAP_DAC_OVERRIDE
- DAC access
- CAP_DAC_READ_SEARCH
- DAC read
- CAP_FOWNER
- owner ID not equal user ID
- CAP_FSETID
- effective user ID not equal owner ID
- CAP_KILL
- real/effective ID not equal process ID
- CAP_SETGID
- setgid
- CAP_SETUID
- set*uid
- CAP_SETPCAP
- transfer capability
- CAP_LINUX_IMMUTABLE
- immutable and append file attributes
- CAP_NET_BIND_SERVICE
- binding to ports below 1024
- CAP_NET_BROADCAST
- broadcasting/listening to multicast
- CAP_NET_ADMIN
- interface/firewall/routing changes
- CAP_NET_RAW
- raw sockets
- CAP_IPC_LOCK
- locking of shared memory segments
- CAP_IPC_OWNER
- IPC ownership checks
- CAP_SYS_MODULE
- insertion and removal of kernel modules
- CAP_SYS_RAWIO
- ioperm/iopl access
- CAP_SYS_CHROOT
- chroot
- CAP_SYS_PTRACE
- ptrace
- CAP_SYS_PACCT
- configuration of process accounting
- CAP_SYS_ADMIN
- tons of admin stuff
- CAP_SYS_BOOT
- reboot
- CAP_SYS_NICE
- nice
- CAP_SYS_RESOURCE
- setting resource limits
- CAP_SYS_TIME
- setting system time
- CAP_SYS_TTY_CONFIG
- tty configuration
We add these ones :
- LIDS_LFS_MASTER
- can be a LFS2.2 master.
- LIDS_UMOUNT
- to unmount partitions
- LIDS_UNKILLABLE
- to be unkillable (god mode)
- LIDS_KILL
- to kill unkillable processes (hehe!)
- LIDS_HIDE
- to be hidden
- LIDS_OUTLAW
- to ignore permissions rules (ie everything that concern fs accesses)
The capabilities set a process is given is the union of the
capabilities its parent have and can transmit and the capabilities set
it is given in lids.conf (which can depend upon uid).
In addition there are some useful sets of capabilities, for a more
efficient use :
- FULL_SET
- all the capabilities
- EMPTY_SET
- no capability at all
- SET_ALL_CAPS
- everything that begin with CAP
- SET_NET
- everything that begin with CAP_NET
- SET_SYS
- everything that begin with CAP_SYS
- SET_IPC
- everything that begin with CAP_IPC
- SET_DAC
- everything that begin with CAP_DAC
and other ones whose need will appear with the utilisation of LIDS.
Next: Insight into the set
Up: Privileges and permissions
Previous: Filesystem permissions
Contents
Biondi Philippe
2000-12-15