posted Jul 24, 2011 7:33 PM by Andrew G. Morgan
- Clarified License file (with version 2 of the GPL)
- Support getting/setting capabilities on large files (Patch courtesy of Mikhail Kulinich by way of Serge Hallyn).
- After --chroot command, change working directory to "/". This follows a suggestion from Steve Grubb, who pointed out:
|
posted Apr 28, 2011 8:17 PM by Andrew G Morgan
- Introduce cap_get_bound() and cap_drop_bound() functions.
- also include a macro CAP_IS_SUPPORTED(cap) for capabilities
- Add a manual cross link from libcap(3) to capsh(1)
|
posted Jan 18, 2011 9:15 PM by Andrew G Morgan
- Latest kernel capabilites supported: now includes CAP_SYSLOG (patch from Sergey Senozhatsky)
- $(CFLAGS) Makefile fixes from Torsten Werner
- Default to installing setcap with an inheritable capability.
- You can disable this feature with: make RAISE_SETFCAP=no install
|
posted Jan 13, 2010 6:12 PM by Andrew G Morgan
- Latest kernel header(s) - now include linux/securebits.h and linux/prctl.h copy
- capsh
- --print securebits in binary
- support --drop=all
- --print text usernames as well as numeric ids
- add test for max lock-down state
- New sys/securebits.h (from Serge)
|
posted Dec 25, 2009 4:17 PM by Andrew G Morgan
- Some documentation fixes from Mike Frysinger (getcap.8 and setcap.8)
- Manual entry created for capsh.1
- Added features to capsh:
- --print supplementary group list
- --user=<foo> argument to set user and groups to named user
- --gid=<N> set gid of current user (N is numeric)
- --groups=<g1>,<g2>,... to set supplementary group list
|
posted Dec 3, 2008 11:12 PM by Andrew G Morgan
[
updated Aug 26, 2009 10:10 PM
]
- Fix some compilation problems (the hacky workarounds are gone now - thanks to many folk for pointing out that more recent kernels didn't like the hack that was there)
- Fixed test for setuid-0 shell scripts. Namely, they should not get capabilities when executed by someone other than root.
|
posted Dec 3, 2008 11:09 PM by Andrew G Morgan
[
updated Dec 3, 2008 11:12 PM
]
- The use of sed to extract capabilities from the kernel linux/capability.h header was proving problematic (it was dropping capabilities on older systems because \t wasn't correctly handled) leading to runtime seg-faults. As such, I've replaced the sed code with some perl code which appears to be more robust.
|
posted Nov 10, 2008 5:54 PM by Andrew G Morgan
[
updated Dec 3, 2008 11:09 PM
]
- Makefile tweaks
- add rule to build html (not on by default)
- add rule to suppress filesystem support from make command line:
- revise DYNAMIC=yes test
- fix INDENT test (thanks to Mike Frysinger)
- comment fix for libcap/cap_file.c
- add test (progs/quicktest.sh) for bogus capability support on shell scripts.
- added a note about this site.
- added test to see if running kernel erroneously supports capability enabled shell scripts
- revised recursive support for getcap (thanks to Lukas Kuklinek)
|
posted Oct 25, 2008 4:07 PM by Andrew G Morgan
[
updated Oct 25, 2008 8:44 PM
]
- capsh now has a --decode=XXX option (use this to make sense of the capability sets you can see in /proc/<PID>/status)
$ grep Cap /proc/$$/status
CapInh: 0000000080000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: ffffffffffffffff
$ capsh --decode=0000000080000000
0x0000000080000000=cap_setfcap
$
- setcap binary now has a -v option (use this to verify that the capabilities on a file match what you would expect)
$ getcap setcap
setcap = cap_setfcap+i
$ setcap -v cap_setfcap=i setcap
setcap: OK
$
("= cap_setfcap+i" is equivalent to "cap_setfcap=i", read more about this with, man 3 cap_from_text .)
- Following a suggestion from the Slackware folk (Thanks Robby Workman for pointing out Pat's change). For non-development build trees (with no .git directory), link the progs/ files dynamically - they will work after they are installed. To override this behavior, you can be explicit on the make command line as follows:
- to build the programs statically (they can be used stand alone):
$ make distclean ; make DYNAMIC=no - to build the programs dynamically (they will only work correctly when installed):
$ make distclean ; make DYNAMIC=yes
- Documentation fix in cap_clear(3) for CAP_DIFFERS(), namely a non-zero value implies a difference exists.
|
|
