Re: why are capabilities disabled?

From: Chris Wright
Date: Fri Feb 13 2004 - 13:24:04 EST

Next message: Maciej Zenczykowski: "Re: why are capabilities disabled?"
Previous message: Hugh Dickins: "Re: your mail (maps "deleted")"
In reply to: Chris Wright: "Re: why are capabilities disabled?"
Next in thread: Sven Köhler: "Re: why are capabilities disabled?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Sven Köhler (skoehler@xxxxxx) wrote:
> >>"getpcaps 1" shows, that the init-process is started without
> >>cap_setpcap, and i know that i can change that somehow.
> >>So why are capabilities disabled? and how do i enable them?

Oh, I see. Not having cap_setpcap does not mean capabilities are
disabled. It's the standard set.

> i found the hint again: i have to change the value CAP_INIT_EFF_SET in
> capability.h, so that init-process is not started with disabled
> cap_setpcap, but is this still a security risk?

Yes. Don't do that.

thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Maciej Zenczykowski: "Re: why are capabilities disabled?"
Previous message: Hugh Dickins: "Re: your mail (maps "deleted")"
In reply to: Chris Wright: "Re: why are capabilities disabled?"
Next in thread: Sven Köhler: "Re: why are capabilities disabled?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]