On Wed, 22 Mar 2000, Nicolas MONNET wrote:
>
> I've searched, I've asked, and I did my best to avoid posting this here as
> I felt this was offtopic; but reading kernel traffic I realized there had
> been a thread on the practical usability of capabilities.
We are the last gate before hell.
> It got down to, to be usable, you need to have those implemented in the
> file system.
>
> I can think of many uses, however, where it's not needed. Actually, I'm
> not going to use capabilities on SUID-like files. Practically, you need
> them for daemon, for example for daemon who need priviledged port
> accesses.
>
> Example:
>
> I have a stand-alone daemon who I want to be able to run as an
> unpriviledged user, bound to port 80, for example. Apache, for example.
>
> How do I implement this? How can I wrap something simply that will wrap
> Apache and start it up completely non-root?
>
>
> (The reason, in this particular case, is that i want to run it in a
> complete chroot jail, while retaining configurability by the user;
> clearly, it can't be running as root in this case)
Yes, you really need capabilities.
I found something nice for you, check at
ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/capfaq-0.2.txt
and join the linux-privs mailing list at
ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/index.html
-augusto
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Mar 23 2000 - 21:00:37 EST