POSI Capabilities分析和总结分析和总结.docxVIP

POSIX Capabilities Content: CAP_CHOWN Code Listing 1.1: CAP_CHOWN CAP_CHOWN Code Listing 1.1: CAP_CHOWN CAP_CHOWN In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this overrides the restriction of changing file ownership and group ownership. CAP_DAC_OVERRIDE Code Listing 2.1: CAP_DAC_OVERRIDE CAP_DAC_OVERRIDE Code Listing 2.1: CAP_DAC_OVERRIDE CAP_DAC_OVERRIDE Override all DAC access, including ACL execute access if [_POSIX_ACL] is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. CAP_DAC_READ_SEARCH Code Listing 3.1: CAP_DAC_READ_SEARCH CAP_DAC_READ_SEARCH Code Listing 3.1: CAP_DAC_READ_SEARCH CAP_DAC_READ_SEARCH Overrides all DAC restrictions, regarding read and search on files and directories, including ACL restrictions, if [_POSIX_ACL] is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. CAP_FOWNER Code Listing 4.1: CAP_FOWNER CAP_FOWNER Code Listing 4.1: CAP_FOWNER CAP_FOWNER Overrides all restrictions about allowed operations on files, where file owner ID must be equal to the user ID, except where CAP_FSETID is applicable. It doesnt override MAC and DAC restrictions. CAP_FSETID Code Listing 5.1: CAP_FSETID CAP_FSETID Code Listing 5.1: CAP_FSETID CAP_FSETID Overrides the following restrictions, that the effective user ID shall match the file owner ID, when setting the S_ISUID and S_ISGID bits on on that file; that the effective group ID (or one of the supplementary group IDs) shall match the file owner ID when setting the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are cleared on successful return from chown(2) (not implemented). CAP_FS_MASK Code Listing 6.1: CAP_FS_MASK CAP_FS_MASK Code Listing 6.1: CAP_FS_MASK CAP_FS_MASK Used to decide between falling back on the old suser() or fsuser(). CAP_KILL Code Listing 7.1: Code Listing 7.1: CAP_KILL CAP_KILL Overrides the restriction, that the real or effective user ID of a process, sending a signal, must match the real or effective user ID of the process, receiv