在系统编程中,经常会看到特权程序、进程一说,特权指的是一种能力。官方定义:Linux capabilities are special attributes in the Linux kernel that grant processes and binary executables specific privileges that are normally reserved for processes whose effective user ID is 0 (The root user, and only the root user, has UID 0).
跟sudo的作用是类似的。是在Linux内核2.2之后引入的,原理很简单,就是将之前与超级用户root(UID=0)关联的特权细分为不同的功能组,Capabilites作为线程(Linux并不真正区分进程和线程)的属性存在,每个功能组都可以独立启用和禁用。其本质上就是将内核调用分门别类,具有相似功能的内核调用被分到同一组中。典型的如访问/proc、网络、dmesg相关模块。
这样一来,权限检查的过程就变成了:在执行特权操作时,如果线程的有效身份不是root,就去检查其是否具有该特权操作所对应的capabilities,并以此为依据,决定是否可以执行特权操作。
通过man 7 capabilities可以查看所有的各种能力。
CAPABILITIES(7) Linux Programmer's Manual CAPABILITIES(7) NAME capabilities - overview of Linux capabilities DESCRIPTION For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged pro- cesses are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list). Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute. Capabilities list The following list shows the capabilities implemented on Linux, and the operations or behaviors that each capability permits: CAP_AUDIT_CONTROL (since Linux 2.6.11) Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. CAP_AUDIT_WRITE (since Linux 2.6.11) Write records to kernel auditing log. CAP_BLOCK_SUSPEND (since Linux 3.5) Employ features that can block system suspend (epoll(7) EPOLLWAKEUP, /proc/sys/wake_lock). CAP_CHOWN Make arbitrary changes to file UIDs and GIDs (see chown(2)). CAP_DAC_OVERRIDE Bypass file read, write, and execute permission checks. (DAC is an abbreviation of "discretionary access control".) CAP_DAC_READ_SEARCH * Bypass file read permission checks and directory read and execute permission checks; * Invoke open_by_handle_at(2). CAP_FOWNER * Bypass permission checks on operations that normally require the file system UID of t
https://www.vultr.com/docs/working-with-linux-capabilities
Linux系统管理Capabilities的工具
CAP既可以设置在文件上,也可以设置在进程上。一般在文件上为主。
Linux系统中主要提供了两种工具来管理capabilities:libcap和libcap-ng。
libcap提供了getcap和setcap两个命令来分别查看和设置文件的capabilities,同时还提供了capsh来查看当前shell进程的capabilities。
libcap-ng更易于使用,使用同一个命令filecap来查看和设置capabilities。
https://blog.csdn.net/whatday/article/details/109257038
https://blog.container-solutions.com/linux-capabilities-in-practice