在系統編程中,經常會看到特權程序、進程一說,特權指的是一種能力。官方定義:Linux capabilities are special attributes in the Linux kernel that grant processes and binary executables specific privileges that are normally reserved for processes whose effective user ID is 0 (The root user, and only the root user, has UID 0).
跟sudo的作用是類似的。是在Linux內核2.2之后引入的,原理很簡單,就是將之前與超級用戶root(UID=0)關聯的特權細分為不同的功能組,Capabilites作為線程(Linux並不真正區分進程和線程)的屬性存在,每個功能組都可以獨立啟用和禁用。其本質上就是將內核調用分門別類,具有相似功能的內核調用被分到同一組中。典型的如訪問/proc、網絡、dmesg相關模塊。
這樣一來,權限檢查的過程就變成了:在執行特權操作時,如果線程的有效身份不是root,就去檢查其是否具有該特權操作所對應的capabilities,並以此為依據,決定是否可以執行特權操作。
通過man 7 capabilities可以查看所有的各種能力。
CAPABILITIES(7) Linux Programmer's Manual CAPABILITIES(7) NAME capabilities - overview of Linux capabilities DESCRIPTION For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged pro- cesses are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list). Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute. Capabilities list The following list shows the capabilities implemented on Linux, and the operations or behaviors that each capability permits: CAP_AUDIT_CONTROL (since Linux 2.6.11) Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. CAP_AUDIT_WRITE (since Linux 2.6.11) Write records to kernel auditing log. CAP_BLOCK_SUSPEND (since Linux 3.5) Employ features that can block system suspend (epoll(7) EPOLLWAKEUP, /proc/sys/wake_lock). CAP_CHOWN Make arbitrary changes to file UIDs and GIDs (see chown(2)). CAP_DAC_OVERRIDE Bypass file read, write, and execute permission checks. (DAC is an abbreviation of "discretionary access control".) CAP_DAC_READ_SEARCH * Bypass file read permission checks and directory read and execute permission checks; * Invoke open_by_handle_at(2). CAP_FOWNER * Bypass permission checks on operations that normally require the file system UID of t
https://www.vultr.com/docs/working-with-linux-capabilities
Linux系統管理Capabilities的工具
CAP既可以設置在文件上,也可以設置在進程上。一般在文件上為主。
Linux系統中主要提供了兩種工具來管理capabilities:libcap和libcap-ng。
libcap提供了getcap和setcap兩個命令來分別查看和設置文件的capabilities,同時還提供了capsh來查看當前shell進程的capabilities。
libcap-ng更易於使用,使用同一個命令filecap來查看和設置capabilities。
https://blog.csdn.net/whatday/article/details/109257038
https://blog.container-solutions.com/linux-capabilities-in-practice