add demo showing privileged run from a runner only

author: VG <vg@devys.org> 2016-03-08 15:59:20 +0100
committer: VG <vg@devys.org> 2016-03-08 15:59:20 +0100
commit: b3406fe7469ec1511d08d6d4c7461a3714247de9 (patch)
tree: 66f33ab2c44f7f423181beef289ec0b504a97c1f /readme.rst
parent: 8b62487759bce5b0ffc548e3dbedc6fd453283e5 (diff)
download: runwithcaps-b3406fe7469ec1511d08d6d4c7461a3714247de9.tar.gz
runwithcaps-b3406fe7469ec1511d08d6d4c7461a3714247de9.tar.bz2
runwithcaps-b3406fe7469ec1511d08d6d4c7461a3714247de9.zip
1 files changed, 9 insertions, 0 deletions
diff --git a/readme.rst b/readme.rst
new file mode 100644
index 0000000..f7820b7
--- /dev/null
+++ b/readme.rst
@@ -0,0 +1,9 @@
+The first example drops caps except setuid/gid, then change to a user, then
+regain a specific capability.
+
+The second example sets the inheritable caps and drops all caps except
+setuid/gid, then change to a user, then execve a program which is assumed to
+have same set of inheritable caps sets in its xattrs + effective flag. Thus
+the result is the launched program has only a specific capability and nobody
+can automatically gain (as opposed to effective + permited file caps) the
+allowed capability. Only the runner can do it.
author	VG <vg@devys.org>	2016-03-08 15:59:20 +0100
committer	VG <vg@devys.org>	2016-03-08 15:59:20 +0100
commit	b3406fe7469ec1511d08d6d4c7461a3714247de9 (patch)
tree	66f33ab2c44f7f423181beef289ec0b504a97c1f /readme.rst
parent	8b62487759bce5b0ffc548e3dbedc6fd453283e5 (diff)
download	runwithcaps-b3406fe7469ec1511d08d6d4c7461a3714247de9.tar.gz runwithcaps-b3406fe7469ec1511d08d6d4c7461a3714247de9.tar.bz2 runwithcaps-b3406fe7469ec1511d08d6d4c7461a3714247de9.zip