Begin4 Title: gircap: tools for using Linux capabilities (capability sets) Version: 1.00 Entered-date: July 11, 2004 Description: These tools help you use the widely unknown "capabilities" that Linux has in place of conventional unix superuser privilege. That means you can give programs and processes only as much privilege as they need and greatly limit your security exposure due to system bugs. A Linux kernel patch fixes some basically broken aspects of capabilities. setcap and getcap let you set and show capabilities of a running process. capexec runs a program with certain capabilities, uid, gid, and supplemental gids. Use this e.g. to have init start a daemon with only a subset of init's privileges. binfmt_capx is an executable interpreter in the form of a loadable kernel module. It lets you do a setuid kind of thing for files, only with fine grained capabilities. This is a cheap substitute for real "file capabilities." Keywords: gircap linux capabilities capability setuid security capx sudo superuser file uid gid setcap getcap capexec mkcapx capxprint binfmt_capx fscap Author: bryanh@giraffe-data.com (Bryan Henderson) Maintained-by: bryanh@giraffe-data.com (Bryan Henderson) Primary-site: ibiblio.org /pub/Linux/system/security Copying-policy: PD End