Summary
=======

This module enables the use of Linux capabilities on filesystems that do
not support them.  It is similar in spirit to ELF capabilities hack but
is not specific to the ELF executable format and is implemented as
separate kernel module.

To grant capabilities to an executable, a small wrapper file is created
that includes the path to an executable followed a capability set
written in hexadecimal.  When this file is executed by the kernel, the
executable is granted the specified capabilities.  The wrapper file must
be owned by root and have the SUID bit set.


Example
=======

In this example, we will remove the SUID bit on the ping program while
retaining its functionality.  First, remove the SUID bit:

    $ chmod -s /bin/ping

Next, create the capability wrapper that grants CAP_NET_RAW:

    $ mv /bin/ping /bin/ping_real
    $ echo '&/bin/ping_real 2000' > /bin/ping

Finally, the wrapper must be owned by root and SUID:

    $ chown root.root /bin/ping
    $ chmod +xs /bin/ping


Capabilities
============

See the Linux kernel source for more information.

    name                        bit
    -------------------------------
    CAP_CHOWN            	0
    CAP_DAC_OVERRIDE     	1
    CAP_DAC_READ_SEARCH  	2
    CAP_FOWNER           	3
    CAP_FSETID           	4
    CAP_KILL             	5
    CAP_SETGID           	6
    CAP_SETUID           	7
    CAP_SETPCAP          	8
    CAP_LINUX_IMMUTABLE  	9
    CAP_NET_BIND_SERVICE 	10
    CAP_NET_BROADCAST    	11
    CAP_NET_ADMIN        	12
    CAP_NET_RAW          	13
    CAP_IPC_LOCK         	14
    CAP_IPC_OWNER        	15
    CAP_SYS_MODULE       	16
    CAP_SYS_RAWIO        	17
    CAP_SYS_CHROOT       	18
    CAP_SYS_PTRACE       	19
    CAP_SYS_PACCT        	20
    CAP_SYS_ADMIN        	21
    CAP_SYS_BOOT         	22
    CAP_SYS_NICE         	23
    CAP_SYS_RESOURCE     	24
    CAP_SYS_TIME         	25
    CAP_SYS_TTY_CONFIG   	26
    CAP_MKNOD            	27
    CAP_LEASE            	28


Contact
=======

Neil Schemenauer <nas@arctrix.com>


Footnotes
=========

 http://atrey.karlin.mff.cuni.cz/~pavel/elfcap.html

