more libcap2

Robert Connolly robert at linuxfromscratch.org
Fri Oct 3 18:07:33 PDT 2008


I think this is all of them, and the minimal capabilities possible:

chmod -v -s /bin/ping
setcap cap_net_raw=ep /bin/ping
chmod -v -s /bin/ping6
setcap cap_net_raw=ep /bin/ping6

chmod -v -s /usr/bin/chage
setcap CAP_DAC_READ_SEARCH=ep /usr/bin/chage

chmod -v -s /usr/bin/chfn
setcap CAP_CHOWN,CAP_DAC_READ_SEARCH,CAP_SETUID=ep /usr/bin/chfn

chmod -v -s /usr/bin/chsh
setcap CAP_CHOWN,CAP_DAC_READ_SEARCH,CAP_SETUID=ep /usr/bin/chsh

chmod -v -s /bin/passwd
setcap CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_SETUID=ep /bin/passwd

# /bin/su may want CAP_SYS_TTY_CONFIG and CAP_SYS_RESOURCE,
# depending how you use /bin/su.
chmod -v -s /bin/su
setcap CAP_DAC_READ_SEARCH,CAP_SETUID,CAP_SETGID=ep /bin/su

chmod -v -s /usr/bin/newgrp
setcap CAP_SETGID=ep /usr/bin/newgrp

chmod -v -s /bin/mount
setcap CAP_SYS_ADMIN=ep /bin/mount
chmod -v -s /bin/umount
setcap CAP_SYS_ADMIN=ep /bin/umount

robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20081003/f3a9b621/attachment.sig>


More information about the hlfs-dev mailing list