On Sunday 20 October 2002 16:16, Pavel Machek wrote:
> Hi!
>
> > > Ah, ok... I thought that things work like this: the capabilities
> > > support already is in the kernel, and to give an app a particular
> > > capability, one has to add a particalar extended attribute to the
> > > application executable. So I'm wrong here it seems?
> >
> > First of all, you can't use a standard user extended attribute, since
> > anyone with write access to the file will be allowed to set the
> > extended attribute. This isn't good if you're going to be granting
>
> What are extended attributes good for, then?
Extended attributes support different namespaces, like user.* and system.*.
The user.* namespace is treaded similarly to the file contents permission
wise, so users can associate attributes with files. Things like ACLs,
Capabilities, etc. are intended to be added to the system.* namespace. They
differ from user.* in that they require different permissions/capabilities
from the calling process.
ACLs are named system.posix_acl_access and system.posix_acl_default.
Capabilities could be named system.posix_caps, for example.
You can look this all up in the attr(5) manual page at
<http://acl.bestbits.at/cgi-man/attr.5>.
--Andreas.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Oct 31 2002 - 22:00:33 EST