Originální popis anglicky:
capget, capset - set/get process capabilities
Návod, kniha: Linux Programmer's Manual
#undef _POSIX_SOURCE
#include <sys/capability.h>
int capget(cap_user_header_t hdrp, cap_user_data_t
datap);
int capset(cap_user_header_t hdrp, const cap_user_data_t
datap);
As of Linux 2.2, the power of the superuser (root) has been partitioned into a
set of discrete capabilities. Every process has a set of effective
capabilities identifying which capabilities (if any) it may currently
exercise. Every process also has a set of inheritable capabilities that may be
passed through an
execve(2) call, and a set of permitted capabilities
that it can make effective or inheritable.
These two functions are the raw kernel interface for getting and setting
capabilities. Not only are these system calls specific to Linux, but the
kernel API is likely to change and use of these functions (in particular the
format of the
cap_user_*_t types) is subject to change with each kernel
revision.
The portable interfaces are
cap_set_proc(3) and
cap_get_proc(3);
if possible you should use those interfaces in applications. If you wish to
use the Linux extensions in applications, you should use the easier-to-use
interfaces
capsetp(3) and
capgetp(3).
Now that you have been warned, some current kernel details. The structs are
defined as follows.
#define _LINUX_CAPABILITY_VERSION 0x19980330
typedef struct __user_cap_header_struct {
int version;
int pid;
} *cap_user_header_t;
typedef struct __user_cap_data_struct {
int effective;
int permitted;
int inheritable;
} *cap_user_data_t;
The calls will return EINVAL, and set the version field of
hdr to
_LINUX_CAPABILITY_VERSION when another version was specified.
The calls refer to the capabilities of the process indicated by the pid field of
hdr when that is nonzero, or to the current process otherwise.
For details on the data, see
capabilities(7).
On success, zero is returned. On error, -1 is returned, and
errno is set
appropriately.
- EFAULT
- Bad memory address. Neither of hdrp and datap
may be NULL.
- EINVAL
- One of the arguments was invalid.
- EPERM
- An attempt was made to add a capability to the Permitted
set, or to set a capability in the Effective or Inheritable sets that is
not in the Permitted set.
- EPERM
- The calling process attempted to use capset() to
modify the capabilities of a process other than itself, but lacked
sufficient privilege; the CAP_SETPCAP capability is required.
- ESRCH
- No such process.
The portable interface to the capability querying and setting functions is
provided by the
libcap library and is available from here:
ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs
capabilities(7)
