Red Hat Bugzilla – Bug 427037
RFE: Backport "file capabilities" feature from 2.6.24
Last modified: 2012-04-02 16:06:29 EDT
POSIX File Capabilities allows processes that would normally run as root to run
with a subset of root's privileges. This would further increase system security
as many binaries that would normally run as setuid could run with only the
capabilities they required. In effect this would make for a very easy way of
confining what would normally be root or suid binaries/processes.
Allowing services like httpd access to CAP_NET_BIND_SERVICE without the inital
root privileges and allowing IRCds access to CAP_SYS_CHROOT provides an easier
way to confine processes that would otherwise run as root.
The initial commit for this feature, I think, was at
Subsequent mods went in as well.
Red Hat Enterprise Linux product management has reviewed this request. Based on
the complexity and intrusiveness, the requested change has been deemed
inappropriate for a backport to Red Hat Enterprise Linux 5. It will be
considered in the next major version of Enterprise Linux.
The core feature will be in RHEL 6, as we're including a late enough kernel.
Either reopen with more information re: comment #6, or open specific bugs against the components that need modified for full support (rpm, for example.)
File capabilities are present, can be manipulated with setcap and file capabalities are used.
* vim cap.c
* getcap cap
* gcc cap.c -o cap
chown: Operation not permitted
[borix@dhcp-31-190 ~]$ exit
[root@dhcp-31-190]# setcap cap_chown=ep cap
* ls -l /root/
ls: cannot open directory /root/: Permission denied
[borix@dhcp-31-190 ~]$ ls -l /root/ -d
dr-xr-x---. 9 1000 1000 4096 Jun 22 13:49 /root/
* cat cap.c
chown("/root", 1000, 1000);
Red Hat Enterprise Linux Beta 2 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.