The Linux Capabilities Model
Capabilities are an attempt to mitigate the problems that result from the crude granularity of the traditional UNIX/Linux privilege model, by breaking the power of superuser into pieces which can bein …
| Talk Title | The Linux Capabilities Model |
| Speakers | Michael Kerrisk (Trainer/writer/programmer, http://man7.org/) |
| Conference | Open Source Summit + ELC Europe |
| Conf Tag | |
| Location | Lyon, France |
| Date | Oct 27-Nov 1, 2019 |
| URL | Talk Page |
| Slides | Talk Slides |
| Video | |
Capabilities are an attempt to mitigate the problems that result from the crude granularity of the traditional UNIX/Linux privilege model, by breaking the power of superuser into pieces which can beindividually assigned to executables.Capabilities have been present on Linux for many years, but they remain poorly understood. And though capabilities are used by many well known pieces of software, it is probably fair to say that they are less used than the original developers may have hoped. Nevertheless, they can be used to make privileged executables that are safer than traditional set-UID-root programs.In this talk, I’ll describe the Linux capabilities model, looking at how capabilities are attached to executable files, and the rules that determine how a process’s capabilities transform when it executes afile. I’ll also consider some of the problems of capabilities that have hindered their adoption as well some remaining problems in their implementation.
