capabilities¶

https://man7.org/linux/man-pages/man7/capabilities.7.html
https://zhuanlan.zhihu.com/p/90218053

1 简介¶

为了执行权限检查，传统的 UNIX 实现区分两类进程：特权进程（其有效用户 ID 为 0，称为超级用户或根）和非特权进程（有效 UID 为非零）。特权进程绕过所有内核权限检查，而非特权进程则根据进程的凭据（通常为：有效 UID、有效 GID 和补充组列表）进行完全权限检查。从内核 2.2 开始，Linux 将传统上与超级用户相关的权限划分为不同的单元，称为 capabilities，这些单元可以独立启用和禁用。capabilities 是每个线程的属性。

2 安装¶

yum install libcap

3 getcap¶

4 setcap¶

5 capsh¶

示例

$ capsh --print
Current: =
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =
Current IAB: 
Securebits: 00/0x0/1'b0 (no-new-privs=0)
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=1000(shw) euid=1000(shw)
gid=1000(shw)
groups=1000(shw)
Guessed mode: UNCERTAIN (0)