more libcap2

Robert Connolly robert at
Sat Oct 4 16:17:23 PDT 2008

Do-over... more comments, removed some unneeded caps, and I forgot about 
gpasswd (see the comment for newgrp) and expiry. So, I think this is all the 
suid-root programs in the base system:

chmod -v -s /bin/ping
setcap cap_net_raw=ep /bin/ping
chmod -v -s /bin/ping6
setcap cap_net_raw=ep /bin/ping6

# Regular users can only use the --list option, so chage only needs read
# access to /etc/shadow.
chmod -v -s /usr/bin/chage
setcap CAP_DAC_READ_SEARCH=ep /usr/bin/chage

# expiry needs the same capabilities as chage.
chmod -v -s /usr/bin/expiry
setcap CAP_DAC_READ_SEARCH=ep /usr/bin/expiry

# chfn needs read access to /etc/shadow, to check the user's password. Somehow
# the write access to /etc/passwd is managed with CAP_SETUID and CAP_CHOWN,
# using /etc/passwd- as a temporary file.
chmod -v -s /usr/bin/chfn

# The user's shell is not stored in /etc/shadow, only /etc/passwd (which is
# world readable), so no special read permissions are needed for chsh.
chmod -v -s /usr/bin/chsh
setcap CAP_CHOWN,CAP_SETUID=ep /usr/bin/chsh

# For some reason the behavior is different when writing to /etc/shadow,
# compared to /etc/passwd, and CAP_DAC_OVERRIDE is needed.
chmod -v -s /bin/passwd

# gpasswd needs the same capabilities as passwd.
chmod -v -s /usr/bin/gpasswd
setcap CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_SETUID=ep /usr/bin/gpasswd

# /bin/su may want CAP_SYS_TTY_CONFIG and CAP_SYS_RESOURCE, depending on how
# you use su.
chmod -v -s /bin/su

# If you do not use gpasswd, then /usr/bin/newgrp only needs CAP_SETGID.
chmod -v -s /usr/bin/newgrp
setcap CAP_DAC_READ_SEARCH,CAP_SETGID=ep /usr/bin/newgrp

chmod -v -s /bin/mount
setcap CAP_SYS_ADMIN=ep /bin/mount
chmod -v -s /bin/umount
setcap CAP_SYS_ADMIN=ep /bin/umount

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <>

More information about the hlfs-dev mailing list