About LinSec
News
Download
Documentation
Developers

OSNY
ETF
LinSec

User Capability configuration: root

This document contains a sample capability configuration for the root user. The listing is output from capadm -U -v command.

To configure uB and uP for root user on your system, first create LinSec structure for the root user using capadm -U -c and then use capadm -U -a to populate the required capability sets. In the below example, uP of the root user is set to empty which should be the correct configuration ie. root has no permissions by default. This is why, once your system is configured properly and booted without linsec=off parameter, you need to execute lsenable before you are able to use other LinSec tools. lsenable actually gives capabilities neccessary for the other tools to your shell's inheritable set. After you have finished with the administrative tasks, use lsdisable tool to remove extra capabilities from your shell.

The choice of the root user for this sample is arbitrary as once LinSec is installed there is no difference between root and any other user. So, you may have user foo that you give privileges to and who has password to lsenable and is thus entitled to do administrative tasks on the system.

User structure for root (0)
-------------------------------------------------
Bounding capabilities (FFFFFFE7FFFFFFFF):
                         0 CAP_CHOWN              1 CAP_DAC_OVERRIDE      
                         2 CAP_DAC_READ_SEARCH    3 CAP_FOWNER            
                         4 CAP_FSETID             5 CAP_KILL              
                         6 CAP_SETGID             7 CAP_SETUID            
                         8 CAP_SETPCAP            9 CAP_LINUX_IMMUTABLE   
                        10 CAP_NET_BIND_SERVICE  11 CAP_NET_BROADCAST     
                        12 CAP_NET_ADMIN         13 CAP_NET_RAW           
                        14 CAP_IPC_LOCK          15 CAP_IPC_OWNER         
                        16 CAP_SYS_MODULE        17 CAP_SYS_RAWIO         
                        18 CAP_SYS_CHROOT        19 CAP_SYS_PTRACE        
                        20 CAP_SYS_PACCT         21 CAP_SYS_ADMIN         
                        22 CAP_SYS_BOOT          23 CAP_SYS_NICE          
                        24 CAP_SYS_RESOURCE      25 CAP_SYS_TIME          
                        26 CAP_SYS_TTY_CONFIG    27 CAP_MKNOD             
                        28 CAP_LEASE             29 RESERVED1             
                        30 RESERVED2             31 CAP_LINSEC_ADMIN      
                        32 CAP_PROC_PROTECTED    33 CAP_PROC_UNKILLABLE   
                        34 CAP_PROC_GOD          37 CAP_SYS_BOOTTIME      
                        38 CAP_MOD_CAP           39 CAP_ACD_OVERRIDE      
                        40 UNKNOWN CAP NAME      41 UNKNOWN CAP NAME      
                        42 UNKNOWN CAP NAME      43 UNKNOWN CAP NAME      
                        44 UNKNOWN CAP NAME      45 UNKNOWN CAP NAME      
                        46 UNKNOWN CAP NAME      47 UNKNOWN CAP NAME      
                        48 UNKNOWN CAP NAME      49 UNKNOWN CAP NAME      
                        50 UNKNOWN CAP NAME      51 UNKNOWN CAP NAME      
                        52 UNKNOWN CAP NAME      53 UNKNOWN CAP NAME      
                        54 UNKNOWN CAP NAME      55 UNKNOWN CAP NAME      
                        56 UNKNOWN CAP NAME      57 UNKNOWN CAP NAME      
                        58 UNKNOWN CAP NAME      59 UNKNOWN CAP NAME      
                        60 UNKNOWN CAP NAME      61 UNKNOWN CAP NAME      
                        62 UNKNOWN CAP NAME      63 UNKNOWN CAP NAME      

Capability group bitmap = 0x0000000000000000
Belong to capability group(s):  0