Next: 13.2 allowpriv: related to
Up: 13 Access control other
Previous: 13 Access control other
Contents
Subsections
Strings that begin with cap_ is POSIX capability. You can see
detailed meaning by man capabilities.
Following POSIX capabilities can not be configured, because it can be
configured in different place.
- CAP_NET_BIND_SERVICE
This restricts usage of wellknown ports, but by allownet, you can
configure better. So this is omitted.
- CAP_MKNOD
This is allowed in allowpriv devcreate.
- CAP_AUDIT_WRITE
Operations that is restricted by this is the same as
allowpriv audit_write ,so this is omitted.
- CAP_AUDIT_CONTROL
Operations that is restricted by this is the same as allowpriv
audit_control, so this is omitted.
- cap_sys_pacct
Configures kernel accounting(see acct(2)).
- cap_sys_module
Allows to install kernel module.
- cap_net_admin
Allow capability CAP_NET_ADMIN(Such as
administrate NIC, route table).
- cap_sys_boot
Allow capabilityCAP_SYS_BOOT. This means allow the
usage of reboot system call.
- cap_sys_rawio
Allow capability CAP_SYS_RAWIO.This means usage of
ioperm, iopl system call and access to /dev/mem.
- cap_sys_chroot
Allow to use chroot.
- cap_sys_nice
Allow capability CAP_SYS_NICE. This means process scheduling.
- cap_sys_resource
Allow capability CAP_SYS_RESOURCE. This means usage
of rlimit etc.
- cap_sys_time
Allow capability CAP_SYS_TIME. Thie means modify
system clock.
- cap_sys_admin
The same as POSIX capability CAP_SYS_ADMIN. This
permissions overlaps other permissions, so if you allow
this, not so serious problem. By denying this,
it can restrict sethostname and some ioctl operations.
- cap_sys_tty_config
The same as capability CAP_TTY_CONFIG. Change
keyboard configuration, and usage of vhangup call.
- cap_ipc_lock
Allow capability CAP_IPC_LOCK. This means to lock
memory.
- cap_dac_override
- cap_dac_read_search
- cap_setuid
- cap_setgid
- cap_chown
- cap_setpcap
- cap_fowner
- cap_fsetid
- cap_linux_immutable
- cap_sys_ptrace
- cap_lease
- cap_ipc_owner
- cap_kill
Next: 13.2 allowpriv: related to
Up: 13 Access control other
Previous: 13 Access control other
Contents
Yuichi Nakamura
2006-11-13