Home
News
Documentation
Access Domains in a nutshell
Installation Guide
LinSec userspace tools
Known bugs
Authors
Userspace tools
lspasswd
Tool for setting & changing linsec password. No command line options.
lsenable & lsdisable
lsenable & lsdisable ask for linsec password.
If password is ok, lsenable sets all capabilities in parent’s process inheritable capset. lsdisable clears parents’ pI capset.
In order to use other tools (capadm & adadm), don’t forget to ‘lsenable’.
capadm
Capability manipulation tool. If you start it without command line options, you will get general help. capadm usage is devided in five sections:
File capabilities manipulation (switch -F)
User capabilities manipulation (switch -U)
User capability groups manipulation (switch -G)
Process capabilities manipulation (switch -P)
Global bounding capability set manipulation (switch -B)
File capabilities manipulation
You can add & remove capabilities to/from files, or, set full, or clear all capabilities to/from files. Type: capadm -F for help.
It is very important to understand that, in case of files, there are three capability sets: Allowed (fA), Forced (fF) and Effective (fE). Also, very important is to understand how those capability sets are calculated into process capability sets (Permitted, Effective, Inheritable). The best way to understand is to read very extensive documentation.
File capabilities help
=> capadm -F [-a | -r] filename [fA | fF | fE] caps…
[-f | -l] filename [fA | fF | FE]
[-v] filename
-a Add capability(ies) to file fA/fF/fE capset
-r Remove capability(ies) from file fA/fF/fE capset
-f Set full capability set to file fA/fF/fE capset
-l Clear all capabilities from file fA/fF/fE capset
-v View file capability sets
User capabilities manipulation
First of all, both capadm and adadm (Access Domain manipulation tool) use the very same user structures for storing user’s data (somewhere in /etc/linsec). In order to do anything with users, you have to create user structure.
Capadm provides you abillity to create, delete or view user structure. User can be identified either by username or by UID.
Every user has its own permitted (called uP – user permitted) and bounding (called uB – user bounding) set. You can manipulate both with uP and uB (add/remove capabilities).
On the other hand, there is something called ‘user capability group’. You may consider user capability group as a template.
Every user is, by default, member of default capability group 0. With capadm, you may add a user to one or more, previously created, groups.
User capabilities help
=> capadm -U [-c | -d | -v] username
[-a | -r] username [uP | uB] caps…
[-f | -l] username [uP | uB]
[-g | -t] username cgrp
[-s]
-c Create user structure
-d Delete user structure
-v View user structure
-a Add capability(ies) to user uP/uB capset
-r Remove capability(ies) from user uP/uB capset
-f Set full capability set to user uP/uB capset
-l Clear all capabilities from user uP/uB capset
-g Add capability group (cgrp) to user
-t Remove capability group (cgrp) from user
-s Show all created user capability structures
User capability groups manipulation
As for users, in order to manipulate with capability groups, first create group structure.
User capability groups help
=> capadm -G [-c | -d | -v] cgrp
[-a | -r] cgrp caps…
[-f | -l] cgrp
[-s | -h]
-c Create capability group structure
-d Delete capability group structure
-v View capability group structure
-a Add capability(ies) to capability group
-r Remove capability(ies) from capability group
-f Set full capability set to capabilty group
-s Show all created capability groups
-h This help
Process capability manipulation
Every process has three capability sets: Effective, Permitted and Inheritable. With capadm you can add/remove capabilities, etc.
Process capabilities help
=> capadm -P [-a | -r] pid [pE | pP | pI] caps…
[-f | -l] pid [pE | pP | pI]
[-v] pid
-a Add capability(ies) to process’ pE/pP/pI capset
-r Remove capability(ies) from process’ pE/pP/pI capset
-f Set full capability set to process’ pE/pP/pI capset
-l Clear all capabilities from process’ pE/pP/pI capset
-v View process capability sets
Global bounding capability set manipulation
Global bounding set capabilities help
=> capadm -B [-a | -r] caps..
[-f | -l]
[-v]
-a Add capability(ies) to global bounding set
-r Remove capability(ies) from global bounding set
-f Set full capability set
-l Clear all capabilities from global bounding set
-v View global bounding set
adadm
Access Domain manipulation tool. Usage is devided in three sections:
Access Domain Group manipulation (switch -G)
Group Members (files) manipulation (switch -F)
User Access Domain manipulation (switch -U)
Access Domain Group manipulation
Every AD group consists of elements and members. Elements are, usually, directories, while members are ordinary files. As for user capability groups, first you have to create a group. AD groups 0 and 1 are default (0 – RW default, 1 – RO default), so you will have to create them, at least.
For further explanation of Access Domain functionality (flags, inheritance, etc), please, read documentation.
Access Domain Groups help
=> adadm -G [-c | -d | -v | -u] adgrp
[-a] adgrp FLAG file
[-r] adgrp file
[-s | -h]
-c Create access domain group structures
-d Delete access domain group structures
-v View access domain group structures
-u Update access domain group structures
-a Add element (file) to access domain group
-r Remove element (file) from access domain group
-s Show all created access domain groups
-h This help
FLAGS:
NONE – Without flags
EXCL – Exclusion
NINH – No inheritable
BOTH – EXCL & NINH
Group members manipulation
Once you’ve created all necessary AD groups, you may start adding members. File can be a member of some group in two ways: read only and read/write.
File Access Domain help
=> adadm -F [-a] filename [ro | rw] ADgrp
[-m] filename ADgrp element FLAG
[-r] filename ADgrp
[-v] filename
-a Add file to access domain group
-r Remove file from access domain group
-m Add file to ad group with modified element’s flag
-v View file access domain info
FLAGS:
NONE – Without flags
EXCL – Exclusion
NINH – No inheritable
BOTH – EXCL & NINH
User Access Domain manipulation
adadm and capadm use the same files & structures to store users’ data. If you create user structure from, for example, capadm, you don’t have to create it from adadm.
Every user has its own, so called ‘default access domain’, where, usually you will put user’s home directory.
Also, user can be a member of a Access Domain group.
User Access Domain help
=> capadm -U [-c | -d | -v] username
[-a | -r] username element
[-g | -t] username [ro | rw] adgrp
[-s]
-c Create user structure
-d Delete user structure
-v View user structure
-a Add element to user default access domain
-r Remove element from user default access domain
-g Add ad group to user
-t Remove ad group from user
-s Show all created users