Translate to EnglishÜbersetzen Sie zum Deutsch/GermanΜεταφράστε στα ελληνικά/GreekПереведите к русскому/RussianOversetter til Norsk/NorwegianÖversätta till Svensk/Swedishहिन्दी अनुवाद करने के लिए/Hindi
Tradueix al català/CatalanTulkot uz latviešu/LatvianPreložiť do slovenčiny/SlovakVertaal aan het Nederlands/Dutchترجمة الى العربية/ArabicTraduzca al Español/SpanishTraduisez au Français/French
Traduca ad Italiano/ItalianTraduza ao Português/Portuguese日本語に翻訳しなさい /Japanese한국어에게 번역하십시오/Korean中文翻译/Chinese Simplified中文翻译/Chinese TraditionalПереклад на українську/Ukrainian
������������
��Google Maps���API 3
XSLT 2.0�XPath 2.0����(���������)��
Linux���(�3��)���

Linux

GNU/LinuxUnixunmount

setuid

IEEE Std.1003.1e (aka POSIX.1ePOSIX.6)1995(ACL)()(MAC)

1998IEEERevCon 17() Linux

Linux POSIX.1everion UnixVMS(TCB) privlileges 1966Earl Horn (CACM9 #3143-155 19663) (Java) Linux

(p)(e)(i)<security/capability.h>

64(libcap2.0332) (i)(p)(e)

monotomicCAP_SYS_TIME

exec

explainationFriedhoff

setuidGNU/Linux 

$ ls - Al /bin/ping
- rwsr-xr-x 141784 2008-09-26 02:02 /bin/ping

setuid

$ cp /bin/ping
$ ls - Al
- rwxr-xr-x 1 fpm fpm 41784 2009-05-29 20:26
$ ./ping localhost
 icmp 



# ./ping - c1 localhost
PING localhost.localdomain (127.0.0.1) 56(84)
localhost.localdomain (127.0.0.1)64 icmp_seq=1 ttl=64 time=0.026

--- localhost.localdomain ---
1 1 0%0ms
rttavgmdev = 0.026/0.026/0.026/0.000

CAP_NET_RAW

# /usr/sbin/setcap cap_net_raw=ep ./ping



# /usr/sbin/getcap ./ping
./ping = cap_net_raw+ep

setuid

$ ls - Al ./ping
- rwxr-xr-x 1 fpm fpm 41784 2009-05-29 20:26 ./ping
$ ./ping - c1 localhost
PING localhost.localdomain (127.0.0.1) 56(84)
localhost.localdomain (127.0.0.1)64 icmp_seq=1 ttl=64 time=0.026

--- localhost.localdomain ---
1 1 0%0ms
rttavgmdev = 0.026/0.026/0.026/0.000

setuid PAM pam_caplibcap PAM/etc/security/capability.confconfig=filename pam_cap

pam_cap 

/security/capability.conf
#
# /etc/security/capability.conf
#FPM 05/29/2009
#

##
cap_net_raw

##
*

supam_cap.so

/etc/pam.d/su
#%PAM-1.0
auth                  pam_rootok.so
# Uncomment
#auth                 pam_wheel.souse_uid
# Uncomment
#auth                   pam_wheel.so use_uid
# FPMpam_cap.so  5/29/2009
auth                    pam_cap.so  
auth                     auth
               pam_succeed_if.so uid = 0 use_uid
                  auth
                 auth
                  auth
                 pam_xauth.so

  
(e)

# /usr/sbin/setcap - r ./ping
# /usr/sbin/setcap cap_net_raw=p ./ping
# /usr/sbin/getcap ./ping
./ping = cap_net_raw+p

fpm  .

$ id -
fpm
$ CD ~test
$ ./ping - q - c1 localhost
 icmp 

 

$ su -

$ id -

$ ./ping - q - c1 localhost
PING localhost.localdomain (127.0.0.1) 56(84)

--- localhost.localdomain ---
1 1 0%0ms
rttavgmdev = 0.024/0.024/0.024/0.000

/usr/sbin/capshshell script /bin/bashbsetpI 

CAP_NET_RAW

$ id - nu

$ /usr/sbin/getcap ./ping
./ping = cap_net_raw+ep

capshCAP_NET_RAWuid 500 (fpm)


$ /usr/sbin/capsh --drop=cap_net_raw --uid=500 --
$ id - nu
fpm
$ ./ping - q - c1 localhost
 ./ping  

CAP_NET_RAW

$ /usr/sbin/setcap - r ./ping

capsh --

$ capsh --caps= " cap_net_raw-ep " -- - c /ping - c1 - q localhost
PING localhost.localdomain (127.0.0.1) 56(84)

--- localhost.localdomain ---
1 1 0%0ms
rttavgmdev = 0.056/0.056/0.056/0.000

capsh

$ id -
fpm
$ /usr/sbin/capsh --
 =
=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill
cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast
cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner cap_sys_module cap_sys_rawio
cap_sys_chroot cap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot cap_sys_nice
cap_sys_resource cap_sys_time cap_sys_tty_config cap_mknod cap_lease cap_audit_write
cap_audit_control cap_setfcap cap_mac_override cap_mac_admin
Securebits  00/0x0
 noroot  ()
 suid fixup  ()
  ()
uid=500

capsh capsh- setuid shell script

10libcap 2.10 GNU/LinuxCONFIG_FILE_CAPABILITIES=ylibcap >=2.08ext3ext42.6.24>= CONFIG_CAPABILITIES=y

10getpcapscapshpam_cap(ACLs!) SELinux

11 Linux

����������PDF 2009528