Capabilities
Capabilities (POSIX 1003.1e) provide fine-grained control over superuser permissions, allowing use of the root user to be avoided. A setuid binary can be replaced with a more minimal set of capabilities. Many packages make use of capabilities, such as CAP_NET_RAW being used for the ping
and ping6
binaries provided by iputils.
It is considered a bug if a package has overly permissive capabilities, so these cases should be reported rather than listed here. A capability essentially equivalent to root access (CAP_SYS_ADMIN) or trivially allowing root access (CAP_DAC_OVERRIDE) does not count as a bug since Arch does not support any MAC/RBAC systems.
Contents
Prerequisites
You need to install libcap, for setting file capabalities that are extended attributes, with the utility setcap.
Other programs that benefit from capabilities
The following packages do not have files with the setuid attribute but require root privileges to work. By enabling some capabilities, regular users can use the program without privilege elevation.
beep
# setcap cap_dac_override,cap_sys_tty_config+ep /usr/bin/beep
chvt
# setcap cap_dac_read_search,cap_sys_tty_config+ep /usr/bin/chvt
iftop
# setcap cap_net_raw+ep /usr/bin/iftop
mii-tool
# setcap cap_net_admin+ep /usr/bin/mii-tool
Useful commands
Find setuid-root files:
$ find /usr/bin /usr/lib -perm /4000 -user root
Find setgid-root files:
$ find /usr/bin /usr/lib -perm /2000 -group root
See also
- Man Page capabilities(7) setcap(8) getcap(8)
- DeveloperWiki:Security#Replacing_setuid_with_capabilities