 |
 |
File capability configurationThis document contains output of the capadm -F -v command listing the fA, fF and fE capability sets for the executables from our sample working configuration. It is recommended that you start off configuring your own system by copying this configuration. Once you have the working basic system you can easily extend the configuration to cover additional services to suit your needs. By copying this configuration you should also get familiar with the tools and the capability model. Use capadm -F -a to add capabilities to required sets of executable files.
For example, to configure agetty, do the following:
File: /bin/bash
Allowed: 400400000 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOT CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
CAP_PROC_GOD
File: /bin/chmod
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /bin/chown
Allowed: 1 Forced: 0 Effective 1
------------------------------------------------------------------------------
CAP_CHOWN CAP_CHOWN
File: /bin/cut
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /bin/dd
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /bin/grep
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /bin/hostname
Allowed: 0 Forced: 2000200000 Effective 2000200000
------------------------------------------------------------------------------
CAP_SYS_ADMIN CAP_SYS_ADMIN
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /bin/login
Allowed: 0 Forced: C9 Effective C9
------------------------------------------------------------------------------
CAP_CHOWN CAP_CHOWN
CAP_FOWNER CAP_FOWNER
CAP_SETGID CAP_SETGID
CAP_SETUID CAP_SETUID
File: /bin/mount
Allowed: 0 Forced: 200022000A Effective 200022000A
------------------------------------------------------------------------------
CAP_DAC_OVERRIDE CAP_DAC_OVERRIDE
CAP_FOWNER CAP_FOWNER
CAP_SYS_RAWIO CAP_SYS_RAWIO
CAP_SYS_ADMIN CAP_SYS_ADMIN
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /bin/rm
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /bin/setterm
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /bin/sleep
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /bin/tar
Allowed: 1 Forced: 0 Effective 1
------------------------------------------------------------------------------
CAP_CHOWN CAP_CHOWN
File: /bin/umount
Allowed: 0 Forced: 200022000A Effective 200022000A
------------------------------------------------------------------------------
CAP_DAC_OVERRIDE CAP_DAC_OVERRIDE
CAP_FOWNER CAP_FOWNER
CAP_SYS_RAWIO CAP_SYS_RAWIO
CAP_SYS_ADMIN CAP_SYS_ADMIN
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /bin/uname
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /etc/rc.d/rc.inet1
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /etc/rc.d/rc.inet2
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /etc/rc.d/rc.local
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /etc/rc.d/rc.M
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /etc/rc.d/rc.S
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /etc/rc.d/rc.sshd
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /etc/rc.d/rc.syslog
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /sbin/agetty
Allowed: 0 Forced: 2000000002 Effective 2000000002
------------------------------------------------------------------------------
CAP_DAC_OVERRIDE CAP_DAC_OVERRIDE
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /sbin/depmod
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /sbin/e2fsck
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /sbin/fsck
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /sbin/fsck.ext2
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /sbin/halt
Allowed: 0 Forced: 400000 Effective 400000
------------------------------------------------------------------------------
CAP_SYS_BOOT CAP_SYS_BOOT
File: /sbin/hwclock
Allowed: 0 Forced: 2002020000 Effective 2002020000
------------------------------------------------------------------------------
CAP_SYS_RAWIO CAP_SYS_RAWIO
CAP_SYS_TIME CAP_SYS_TIME
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /sbin/ifconfig
Allowed: 0 Forced: 2000001000 Effective 2000001000
------------------------------------------------------------------------------
CAP_NET_ADMIN CAP_NET_ADMIN
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /sbin/init
Allowed: 400400000 Forced: FFFFFFFFFFFFFFFF Effective FFFFFF7FFFFFFFFF
------------------------------------------------------------------------------
CAP_SYS_BOOT CAP_CHOWN CAP_CHOWN
CAP_PROC_GOD CAP_DAC_OVERRIDE CAP_DAC_OVERRIDE
CAP_DAC_READ_SEARCH CAP_DAC_READ_SEARCH
CAP_FOWNER CAP_FOWNER
CAP_FSETID CAP_FSETID
CAP_KILL CAP_KILL
CAP_SETGID CAP_SETGID
CAP_SETUID CAP_SETUID
CAP_SETPCAP CAP_SETPCAP
CAP_LINUX_IMMUTABLE CAP_LINUX_IMMUTABLE
CAP_NET_BIND_SERVICE CAP_NET_BIND_SERVICE
CAP_NET_BROADCAST CAP_NET_BROADCAST
CAP_NET_ADMIN CAP_NET_ADMIN
CAP_NET_RAW CAP_NET_RAW
CAP_IPC_LOCK CAP_IPC_LOCK
CAP_IPC_OWNER CAP_IPC_OWNER
CAP_SYS_MODULE CAP_SYS_MODULE
CAP_SYS_RAWIO CAP_SYS_RAWIO
CAP_SYS_CHROOT CAP_SYS_CHROOT
CAP_SYS_PTRACE CAP_SYS_PTRACE
CAP_SYS_PACCT CAP_SYS_PACCT
CAP_SYS_ADMIN CAP_SYS_ADMIN
CAP_SYS_BOOT CAP_SYS_BOOT
CAP_SYS_NICE CAP_SYS_NICE
CAP_SYS_RESOURCE CAP_SYS_RESOURCE
CAP_SYS_TIME CAP_SYS_TIME
CAP_SYS_TTY_CONFIG CAP_SYS_TTY_CONFIG
CAP_MKNOD CAP_MKNOD
CAP_LEASE CAP_LEASE
RESERVED1 RESERVED1
RESERVED2 RESERVED2
CAP_LINSEC_ADMIN CAP_LINSEC_ADMIN
CAP_PROC_PROTECTED CAP_PROC_PROTECTED
CAP_PROC_UNKILLABLE CAP_PROC_UNKILLABLE
CAP_PROC_GOD CAP_PROC_GOD
CAP_PROC_HIDDEN CAP_PROC_HIDDEN
CAP_NET_HIDDEN CAP_NET_HIDDEN
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
CAP_MOD_CAP CAP_MOD_CAP
CAP_ACD_OVERRIDE
File: /sbin/insmod
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /bin/ipmask
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /sbin/ldconfig
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /sbin/lilo
Allowed: 20000 Forced: 0 Effective 20000
------------------------------------------------------------------------------
CAP_SYS_RAWIO CAP_SYS_RAWIO
File: /sbin/route
Allowed: 0 Forced: 2000001000 Effective 2000001000
------------------------------------------------------------------------------
CAP_NET_ADMIN CAP_NET_ADMIN
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /sbin/sulogin
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /sbin/swapon
Allowed: 0 Forced: 2000200000 Effective 2000200000
------------------------------------------------------------------------------
CAP_SYS_ADMIN CAP_SYS_ADMIN
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /sbin/swapon
Allowed: 0 Forced: 2000200000 Effective 2000200000
------------------------------------------------------------------------------
CAP_SYS_ADMIN CAP_SYS_ADMIN
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /usr/bin/scp
Allowed: C0 Forced: C0 Effective C0
------------------------------------------------------------------------------
CAP_SETGID CAP_SETGID CAP_SETGID
CAP_SETUID CAP_SETUID CAP_SETUID
File: /usr/bin/ssh
Allowed: 0 Forced: C0 Effective C0
------------------------------------------------------------------------------
CAP_SETGID CAP_SETGID
CAP_SETUID CAP_SETUID
File: /bin/stty
Allowed: 0 Forced: 2000000000 Effective 2000000000
------------------------------------------------------------------------------
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /usr/sbin/inetd
Allowed: 0 Forced: 2200000400 Effective 2200000400
------------------------------------------------------------------------------
CAP_NET_BIND_SERVICE CAP_NET_BIND_SERVICE
CAP_PROC_UNKILLABLE CAP_PROC_UNKILLABLE
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /usr/sbin/klogd
Allowed: 0 Forced: 2100200000 Effective 2100200000
------------------------------------------------------------------------------
CAP_SYS_ADMIN CAP_SYS_ADMIN
CAP_PROC_PROTECTED CAP_PROC_PROTECTED
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /usr/sbin/sshd
Allowed: 0 Forced: 21000004C1 Effective 21000004C1
------------------------------------------------------------------------------
CAP_CHOWN CAP_CHOWN
CAP_SETGID CAP_SETGID
CAP_SETUID CAP_SETUID
CAP_NET_BIND_SERVICE CAP_NET_BIND_SERVICE
CAP_PROC_PROTECTED CAP_PROC_PROTECTED
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
File: /usr/sbin/syslogd
Allowed: 0 Forced: 2100000400 Effective 2100000400
------------------------------------------------------------------------------
CAP_NET_BIND_SERVICE CAP_NET_BIND_SERVICE
CAP_PROC_PROTECTED CAP_PROC_PROTECTED
CAP_SYS_BOOTTIME CAP_SYS_BOOTTIME
|
|