Re: Posix capabilities - Andreas Gruenbacher

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Andreas Gruenbacher <agruen@suse.de>
To: Pavel Machek <pavel@ucw.cz>
Cc: linux-kernel@vger.kernel.org
Subject: Re: Posix capabilities
Date: Sun, 27 Oct 2002 14:46:24 +0100	[thread overview]
Message-ID: <200210271446.24655.agruen@suse.de> (raw)
In-Reply-To: <20021020141647.GB6280@elf.ucw.cz>

On Sunday 20 October 2002 16:16, Pavel Machek wrote:
> Hi!
>
> > > Ah, ok... I thought that things work like this: the capabilities
> > > support already is in the kernel, and to give an app a particular
> > > capability, one has to add a particalar extended attribute to the
> > > application executable. So I'm wrong here it seems?
> >
> > First of all, you can't use a standard user extended attribute, since
> > anyone with write access to the file will be allowed to set the
> > extended attribute.  This isn't good if you're going to be granting
>
> What are extended attributes good for, then?

Extended attributes support different namespaces, like user.* and system.*. 
The user.* namespace is treaded similarly to the file contents permission 
wise, so users can associate attributes with files. Things like ACLs, 
Capabilities, etc. are intended to be added to the system.* namespace. They 
differ from user.* in that they require different permissions/capabilities 
from the calling process.

ACLs are named system.posix_acl_access and system.posix_acl_default. 
Capabilities could be named system.posix_caps, for example.

You can look this all up in the attr(5) manual page at 
<http://acl.bestbits.at/cgi-man/attr.5>.

--Andreas.

next prev parent reply	other threads:[~2002-10-27 13:40 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-10-16 15:44 Posix capabilities Stefan Schwandter
2002-10-16 16:22 ` Bosko Radivojevic
2002-10-17  3:26 ` Theodore Ts'o
2002-10-17  4:00   ` GrandMasterLee
2002-10-17 13:22     ` Horst von Brand
2002-10-18  6:38       ` GrandMasterLee
2002-10-17 10:37   ` Olaf Dietsche
2002-10-17 11:02     ` Andreas Gruenbacher
2002-10-17 12:12       ` Theodore Ts'o
2002-10-17 15:36         ` Olaf Dietsche
2002-10-17 17:17           ` Alex Riesen
2002-10-18 16:13         ` Rogier Wolff
2002-10-17 13:40     ` Henning P. Schmiedehausen
2002-10-17 12:05   ` Stefan Schwandter
2002-10-17 12:20     ` Theodore Ts'o
2002-10-20 14:16       ` Pavel Machek
2002-10-27 13:46         ` Andreas Gruenbacher [this message]
  -- strict thread matches above, loose matches on Subject: below --
2002-10-17 20:43 Neil Schemenauer
2002-10-20 14:18 ` Pavel Machek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200210271446.24655.agruen@suse.de \
    --to=agruen@suse.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pavel@ucw.cz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.