Listings Question About Ping
Reindl Harald
h.reindl at thelounge.net
Fri Dec 23 21:59:02 UTC 2011
Am 23.12.2011 22:52, schrieb Aaron Konstam:
>>> I guess I am thick because I can't understand the explanation in the web
>>> page above. An example or two might have helped.
>>
>> you need to understand what SETUID and CAPABILITIES are
>> what examples are you expecting? these are technics
>>
>> http://en.wikipedia.org/wiki/Setuid
>> http://kernel.org/doc/man-pages/online/pages/man7/capabilities.7.html
>
> Examples of a specific capability replaces a setuid. You web pages were
> of more help.
[harry at srv-rhsoft:~]$ getcap /bin/ping
/bin/ping = cap_net_raw+ep
it gets exactly the permissions it really needs
with SETUID it had full root permissions
from the view giving aech user/service/application the permissions
which are needed but not more capabilities are finer to control
giving as less permissions as possible is hardening the system
in the case of mistakes (buffer overlow, not well enough sanitized
inputs or whatever will happen) at maybe makes a pmerssion breakout
of a application in specific cases impossible where they with
SETUID would have the possibility to take over the system
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20111223/c5a18242/attachment.sig>
More information about the users
mailing list