diff options
author | VG <vg@devys.org> | 2016-03-08 15:59:20 +0100 |
---|---|---|
committer | VG <vg@devys.org> | 2016-03-08 15:59:20 +0100 |
commit | b3406fe7469ec1511d08d6d4c7461a3714247de9 (patch) | |
tree | 66f33ab2c44f7f423181beef289ec0b504a97c1f /readme.rst | |
parent | 8b62487759bce5b0ffc548e3dbedc6fd453283e5 (diff) | |
download | runwithcaps-b3406fe7469ec1511d08d6d4c7461a3714247de9.tar.gz runwithcaps-b3406fe7469ec1511d08d6d4c7461a3714247de9.tar.bz2 runwithcaps-b3406fe7469ec1511d08d6d4c7461a3714247de9.zip |
add demo showing privileged run from a runner only
Diffstat (limited to 'readme.rst')
-rw-r--r-- | readme.rst | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/readme.rst b/readme.rst new file mode 100644 index 0000000..f7820b7 --- /dev/null +++ b/readme.rst @@ -0,0 +1,9 @@ +The first example drops caps except setuid/gid, then change to a user, then +regain a specific capability. + +The second example sets the inheritable caps and drops all caps except +setuid/gid, then change to a user, then execve a program which is assumed to +have same set of inheritable caps sets in its xattrs + effective flag. Thus +the result is the launched program has only a specific capability and nobody +can automatically gain (as opposed to effective + permited file caps) the +allowed capability. Only the runner can do it. |