在Linux中使用setcap [英] Using setcap in linux
问题描述
要将cap_net_raw功能添加到(例如/bin/ping),我们使用以下内容:
To add the cap_net_raw capability to (for eg /bin/ping), we use the following:
#setcap cap_net_raw=ep /bin/ping
ep的含义是什么,为什么在这里需要它?
What is the meaning of ep and why is it required here ?
推荐答案
这将在有效"(e)和允许"(p)功能集中设置CAP_NET_RAW
位.这两个集合以及可继承的"集合控制着一个进程具有或可以设置的功能.
This sets the CAP_NET_RAW
bit in both the "effective" (e) and "permitted" (p) capability sets. These two sets, along with the "inheritable" set, govern the capabilities that a process has or can set.
在此处查看更多信息:
功能集
每个线程具有三个功能集,其中包含零个或多个 以上功能:
Each thread has three capability sets containing zero or more of the above capabilities:
Effective
-内核用于
对线程执行权限检查.
Effective
- the capabilities used by the kernel to
perform permission checks for the thread.
Permitted
-功能
线程可以假定的(即,
有效和可继承的集合).如果某个线程放弃了以下功能:
它的允许集,它将永远无法重新获得该功能(除非它
exec()是一个设置用户ID根程序).
Permitted
- the capabilities
that the thread may assume (i.e., a limiting superset for the
effective and inheritable sets). If a thread drops a capability from
its permitted set, it can never re-acquire that capability (unless it
exec()s a set-user-ID-root program).
inheritable
-功能
保留在execve(2)中.通过fork(2)创建的子代继承
其父级能力集的副本.参见下面的讨论
exec()期间功能的处理.使用capset(2),一个线程
可以操纵自己的功能集,或者如果它具有CAP_SETPCAP
功能,即另一个进程中线程的功能.
inheritable
- the capabilities
preserved across an execve(2). A child created via fork(2) inherits
copies of its parent's capability sets. See below for a discussion of
the treatment of capabilities during exec(). Using capset(2), a thread
may manipulate its own capability sets, or, if it has the CAP_SETPCAP
capability, those of a thread in another process.
这篇关于在Linux中使用setcap的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!