capabilities

Autres langues

Langue: ja

Version: 2006-07-31 (openSuse - 09/10/07)

Section: 7 (Divers)

̾Á°

capabilities - Linux ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£ (capability) ¤Î³µÍ×

ÀâÌÀ

¸¢¸Â¤Î¥Á¥§¥Ã¥¯¤ò¹Ô¤¦´ÑÅÀ¤«¤é¸«¤ë¤È¡¢ÅÁÅýŪ¤Ê Unix ¤Î¼ÂÁõ¤Ç¤Ï ¥×¥í¥»¥¹¤ÏÆó¤Ä¤Î¥«¥Æ¥´¥ê¤ËʬÎà¤Ç¤­¤ë: Æø¢ ¥×¥í¥»¥¹ (¼Â¸ú¥æ¡¼¥¶ID ¤¬ 0 ¤Î¥×¥í¥»¥¹¡£¥æ¡¼¥¶ID 0 ¤Ï ¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶¤ä root ¤È¸Æ¤Ð¤ì¤ë) ¤È ÈóÆø¢ ¥×¥í¥»¥¹ (¼Â¸ú¥æ¡¼¥¶ID ¤¬ 0 °Ê³°¤Î¥×¥í¥»¥¹) ¤Ç¤¢¤ë¡£ ÈóÆø¢¥×¥í¥»¥¹¤Ç¤Ï¡¢¥×¥í¥»¥¹¤Î»ñ³Ê¾ðÊó (Ä̾ï¤Ï¡¢¼Â¸úUID ¡¢¼Â¸úGID ¤ÈÄɲäΥ°¥ë¡¼¥×¥ê¥¹¥È) ¤Ë´ð¤Å¤¯¸¢¸Â¥Á¥§¥Ã¥¯¤¬¹Ô¤ï¤ì¤ë¤Î¤ËÂФ·¡¢ Æø¢¥×¥í¥»¥¹¤Ç¤ÏÁ´¤Æ¤Î¥«¡¼¥Í¥ë¤Î¸¢¸Â¥Á¥§¥Ã¥¯¤¬¥Ð¥¤¥Ñ¥¹¤µ¤ì¤ë¡£

¥Ð¡¼¥¸¥ç¥ó 2.2 °Ê¹ß¤Î Linux ¤Ç¤Ï¡¢ ¤³¤ì¤Þ¤Ç¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶¤Ë·ë¤ÓÉÕ¤±¤é¤ì¤Æ¤­¤¿¸¢¸Â¤ò¡¢ ¤¤¤¯¤Ä¤«¤Î¥°¥ë¡¼¥×¤Ëʬ³ä¤·¤Æ¤¤¤ë¡£¤³¤ì¤é¤Î¥°¥ë¡¼¥×¤Ï ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£(capability) ¤È¸Æ¤Ð¤ì¡¢¥°¥ë¡¼¥×Ëè¤ËÆÈΩ¤ËÍ­¸ú¡¢Ìµ¸ú¤òÀßÄê¤Ç¤­¤ë¡£ ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¥¹¥ì¥Ã¥Éñ°Ì¤Î°À­¤Ç¤¢¤ë¡£

¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¥ê¥¹¥È

Linux 2.6.14 ¤Ç¤Ï¡¢°Ê²¼¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¼ÂÁõ¤µ¤ì¤Æ¤¤¤ë:
CAP_AUDIT_CONTROL (Linux 2.6.11 °Ê¹ß)
¥«¡¼¥Í¥ë´Æºº (audit) ¤ÎÍ­¸ú̵¸ú¤ÎÀÚ¤êÂؤ¨¡¢ ´Æºº¤Î¥Õ¥£¥ë¥¿¡¦¥ë¡¼¥ë¤ÎÊѹ¹¡¢ ´Æºº¤Î¾õ¶·¤ä¥Õ¥£¥ë¥¿¡¦¥ë¡¼¥ë¤Î¼èÆÀ¤¬¤Ç¤­¤ë¡£
CAP_AUDIT_WRITE (Linux 2.6.11 °Ê¹ß)
¥«¡¼¥Í¥ë´Æºº¤Î¥í¥°¤Ë¥ì¥³¡¼¥É¤ò½ñ¤­¹þ¤à¤³¤È¤¬¤Ç¤­¤ë¡£
CAP_CHOWN
¥Õ¥¡¥¤¥ë¤Î UID ¤ÈGID ¤òǤ°Õ¤ËÊѹ¹¤¹¤ë¤³¤È¤¬¤Ç¤­¤ë (chown(2) »²¾È)¡£
CAP_DAC_OVERRIDE
¥Õ¥¡¥¤¥ë¤ÎÆɤ߽Ф·¡¢½ñ¤­¹þ¤ß¡¢¼Â¹Ô¤Î¸¢¸Â¥Á¥§¥Ã¥¯¤¬¥Ð¥¤¥Ñ¥¹¤µ¤ì¤ë (DAC = "discretionary access control (Ǥ°Õ¤Î¥¢¥¯¥»¥¹À©¸æ)")¡£
CAP_DAC_READ_SEARCH
¥Õ¥¡¥¤¥ë¤ÎÆɤ߽Ф·¸¢¸Â¤Î¥Á¥§¥Ã¥¯¤È¥Ç¥£¥ì¥¯¥È¥ê¤ÎÆɤ߽Ф·¤È¼Â¹Ô ¤Î¸¢¸Â¥Á¥§¥Ã¥¯¤¬¥Ð¥¤¥Ñ¥¹¤µ¤ì¤ë¡£
CAP_FOWNER
Ä̾¥×¥í¥»¥¹¤Î¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬¥Õ¥¡¥¤¥ë¤Î UID ¤Ë°ìÃפ¹¤ë¤³¤È¤¬ Í׵ᤵ¤ì¤ëÁàºî (Î㤨¤Ð chmod(2), utime(2)) ¤Ë¤ª¤±¤ë¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë¡£ ⤷¡¢ CAP_DAC_OVERRIDE ¤« CAP_DAC_READ_SEARCH ¤Ë¤è¤ê¥Á¥§¥Ã¥¯¤¬¹Ô¤ï¤ì¤ëÁàºî¤Ï½ü¤¯¡£ Ǥ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ³ÈÄ¥¥Õ¥¡¥¤¥ë°À­¤òÀßÄꤹ¤ë¤³¤È¤¬¤Ç¤­¤ë (chattr(1) »²¾È)¡£ Ǥ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ¥¢¥¯¥»¥¹À©¸æ¥ê¥¹¥È (ACL) ¤òÀßÄê¤Ç¤­¤ë¡£ ¥Õ¥¡¥¤¥ë¤Îºï½ü¤ÎºÝ¤Ë¥Ç¥£¥ì¥¯¥È¥ê¤Î¥¹¥Æ¥£¥Ã¥­¡¼¥Ó¥Ã¥È¤ò̵»ë¤¹¤ë¡£ open(2) ¤ä fcntl(2) ¤ÇǤ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ O_NOATIME ¤ò»ØÄê¤Ç¤­¤ë¡£
CAP_FSETID
¥Õ¥¡¥¤¥ë¤¬Êѹ¹¤µ¤ì¤¿¤È¤­¤Ëset-user-ID ¤Èset-group-ID ¥Ó¥Ã¥È¤ò¥¯¥ê¥¢ ¤·¤Ê¤¤¡£¸Æ¤Ó½Ð¤·¸µ¥×¥í¥»¥¹¤Î¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à GID ¤ÈÄɲäΠGID ¤Î¤¤¤º¤ì¤È¤â GID ¤¬°ìÃפ·¤Ê¤¤¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ set-group-ID ¥Ó¥Ã¥È¤òÀßÄꤹ¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
CAP_IPC_LOCK
¥á¥â¥ê¡¼¤Î¥í¥Ã¥¯ (mlock(2), mlockall(2), mmap(2), shmctl(2)) ¤ò¹Ô¤¦¤³¤È¤¬¤Ç¤­¤ë¡£
CAP_IPC_OWNER
System V IPC ¥ª¥Ö¥¸¥§¥¯¥È¤ËÂФ¹¤ëÁàºî¤Ë´Ø¤·¤Æ¸¢¸Â¥Á¥§¥Ã¥¯¤¬¥Ð¥¤¥Ñ¥¹¤µ¤ì¤ë¡£
CAP_KILL
¥·¥°¥Ê¥ë¤òÁ÷¿®¤¹¤ëºÝ¤Ë¸¢¸Â¥Á¥§¥Ã¥¯¤¬¥Ð¥¤¥Ñ¥¹¤µ¤ì¤ë (kill(2) »²¾È)¡£ KDSIGACCEPT ioctl ¤Î»ÈÍѤâǧ¤á¤é¤ì¤ë¡£
CAP_LEASE
(Linux 2.4 °Ê¹ß) Ǥ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ ¥Õ¥¡¥¤¥ë¥ê¡¼¥¹¤òÀßÄꤹ¤ë¤³¤È¤¬¤Ç¤­¤ë (fcntl(2) »²¾È)¡£
CAP_LINUX_IMMUTABLE
³ÈÄ¥¥Õ¥¡¥¤¥ë°À­ EXT2_APPEND_FL ¤È EXT2_IMMUTABLE_FL ¤òÀßÄê¤Ç¤­¤ë (chattr(1) »²¾È)¡£
CAP_MKNOD
(Linux 2.4 °Ê¹ß) mknod(2) ¤ò»ÈÍѤ·¤Æ¥¹¥Ú¥·¥ã¥ë¡¦¥Õ¥¡¥¤¥ë¤òºîÀ®¤¹¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
CAP_NET_ADMIN
³Æ¼ï¤Î¥Í¥Ã¥È¥ï¡¼¥¯´ØÏ¢¤ÎÁàºî¤òµö²Ä¤¹¤ë¡£ (Î㤨¤Ð¡¢Æø¢¤¬É¬Íפʥ½¥±¥Ã¥È¥ª¥×¥·¥ç¥ó¤òÀßÄꤹ¤ë¡¢¥Þ¥ë¥Á¥­¥ã¥¹¥È¤òÍ­¸ú¤Ë¤¹¤ë¡¢ ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤òÀßÄꤹ¤ë¡¢¥ë¡¼¥Æ¥£¥ó¥°¥Æ¡¼¥Ö¥ë¤òÊѹ¹¤¹¤ë¤Ê¤É)
CAP_NET_BIND_SERVICE
¥¤¥ó¥¿¡¼¥Í¥Ã¥È¥É¥á¥¤¥ó¤ÇͽÌ󤵤ì¤Æ¤¤¤ë (1024 ÈÖ̤Ëþ¤Î) ¥½¥±¥Ã¥È¥Ý¡¼¥ÈÈÖ¹æ ¤ò»ÈÍѤǤ­¤ë¡£
CAP_NET_BROADCAST
(̤»ÈÍÑ) ¥½¥±¥Ã¥È¤Î¥Ö¥í¡¼¥É¥­¥ã¥¹¥È¤È¡¢¥Þ¥ë¥Á¥­¥ã¥¹¥È¤ÎÂÔ¤Á¼õ¤±¤ò ¹Ô¤¦¤³¤È¤¬¤Ç¤­¤ë¡£
CAP_NET_RAW
RAW ¥½¥±¥Ã¥È¤È PACKET ¥½¥±¥Ã¥È¤ò»ÈÍѤ¹¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
CAP_SETGID
¥×¥í¥»¥¹¤Î GID ¤ÈÄɲäΠGID ¥ê¥¹¥È¤ËÂФ¹¤ëǤ°Õ¤ÎÁàºî¤ò¹Ô¤¦¤³¤È¤¬¤Ç¤­¤ë¡£ Unix ¥É¥á¥¤¥ó¥½¥±¥Ã¥È·Ðͳ¤Ç¥½¥±¥Ã¥È¤Î»ñ³Ê¾ðÊó (credential) ¤òÅϤ¹ºÝ¤Ë µ¶¤Î GID ¤òÅϤ¹¤³¤È¤¬¤Ç¤­¤ë¡£
CAP_SETPCAP
¸Æ¤Ó½Ð¤·¸µ¤¬µö²Ä¤µ¤ì¤Æ¤¤¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë´Þ¤Þ¤ì¤ëǤ°Õ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¡¢ ¾¤Î¥×¥í¥»¥¹¤ËÉÕÍ¿¤·¤¿¤ê¡¢ºï½ü¤·¤¿¤ê¤Ç¤­¤ë¡£
CAP_SETUID
¥×¥í¥»¥¹¤Î UID ¤ËÂФ¹¤ëǤ°Õ¤ÎÁàºî (setuid(2), setreuid(2), setresuid(2), setfsuid(2)) ¤ò¹Ô¤¦¤³¤È¤¬¤Ç¤­¤ë¡£ Unix ¥É¥á¥¤¥ó¥½¥±¥Ã¥È·Ðͳ¤Ç¥½¥±¥Ã¥È¤Î»ñ³Ê¾ðÊó (credential) ¤òÅϤ¹ºÝ¤Ë µ¶¤Î UID ¤òÅϤ¹¤³¤È¤¬¤Ç¤­¤ë¡£
CAP_SYS_ADMIN
°Ê²¼¤Î¥·¥¹¥Æ¥à´ÉÍýÍѤÎÁàºî¤ò¹Ô¤¦¤³¤È¤¬¤Ç¤­¤ë: quotactl(2), mount(2), umount(2), swapon(2), swapoff(2), sethostname(2), setdomainname(2), Ǥ°Õ¤Î System V IPC ¥ª¥Ö¥¸¥§¥¯¥È¤ËÂФ¹¤ë IPC_SET ¤È IPC_RMID Áàºî¡£ ³Èĥ°À­ trusted ¤È security ¤ËÂФ¹¤ëÁàºî¤ò¼Â¹Ô¤Ç¤­¤ë (attr(5) »²¾È)¡£ lookup_dcookie(2) ¤ò¸Æ¤Ó½Ð¤¹¤³¤È¤¬¤Ç¤­¤ë¡£ ioprio_set(2) ¤ò»È¤Ã¤Æ I/O ¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥¯¥é¥¹ IOPRIO_CLASS_RT, IOPRIO_CLASS_IDLE ¤ò³ä¤êÅö¤Æ¤ë¤³¤È¤¬¤Ç¤­¤ë¡£ keyctl(2) ¤Î KEYCTL_CHOWN ¤È KEYCTL_SETPERM Áàºî¤ò¼Â¹Ô¤Ç¤­¤ë¡£ ¥½¥±¥Ã¥È¤Î»ñ³Ê¾ðÊó (credential) ¤òÅϤ¹ºÝ¤Ëµ¶¤Î UID ¤òÅϤ¹¤³¤È¤¬¤Ç¤­¤ë¡£ ¥Õ¥¡¥¤¥ë¤ò¥ª¡¼¥×¥ó¤¹¤ë¥·¥¹¥Æ¥à¥³¡¼¥ë (Î㤨¤Ð accept(2), execve(2), open(2), pipe(2)) ¤Ç¥·¥¹¥Æ¥àÁ´ÂΤǥª¡¼¥×¥ó¤Ç¤­¤ë¥Õ¥¡¥¤¥ë¿ô¤Î¾å¸Â /proc/sys/fs/file-max ¤òĶ¤¨¤ë¤³¤È¤¬¤Ç¤­¤ë (¤³¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¤Ê¤¤¾ì¹ç¡¢¤³¤Î¾å¸Â¤Ë㤹¤ë¤È ¤³¤ì¤é¤Î¥·¥¹¥Æ¥à¥³¡¼¥ë¤Ï ENFILE ¥¨¥é¡¼¤Ç¼ºÇÔ¤¹¤ë)¡£ clone(2) ¤È unshare(2) ¤Ç CLONE_NEWNS ¥Õ¥é¥°¤òÍøÍѤǤ­¤ë¡£
CAP_SYS_BOOT
reboot(2) ¤È kexec_load(2) ¤ò¸Æ¤Ó½Ð¤¹¤³¤È¤¬¤Ç¤­¤ë¡£
CAP_SYS_CHROOT
chroot(2). ¤ò¸Æ¤Ó½Ð¤¹¤³¤È¤¬¤Ç¤­¤ë¡£
CAP_SYS_MODULE
¥«¡¼¥Í¥ë¥â¥¸¥å¡¼¥ë¤Î¥í¡¼¥É¡¢¥¢¥ó¥í¡¼¥É¤ò¹Ô¤¦¤³¤È¤¬¤Ç¤­¤ë¡£ ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È (capability bounding set) ¤òÊѹ¹¤Ç¤­¤ë¡£ (init_module(2) ¤È delete_module(2) ¤ò»²¾È¤Î¤³¤È)
CAP_SYS_NICE
¥×¥í¥»¥¹¤Î nice Ãͤΰú¤­¾å¤² (nice(2), setpriority(2)) ¤ä¡¢Ç¤°Õ¤Î¥×¥í¥»¥¹¤Î nice ÃͤÎÊѹ¹¤ò¹Ô¤¦¤³¤È¤¬¤Ç¤­¤ë¡£ ¸Æ¤Ó½Ð¤·¸µ¥×¥í¥»¥¹¤ËÂФ¹¤ë¥ê¥¢¥ë¥¿¥¤¥à¡¦¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥Ý¥ê¥·¡¼¤ÎÀßÄê¤È¡¢ Ǥ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ¹¤ë¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥Ý¥ê¥·¡¼¤ÈÍ¥ÀèÅÙ¤ÎÀßÄê¤ò¹Ô¤¦¤³¤È¤¬¤Ç¤­¤ë (sched_setscheduler(2), sched_setparam(2))¡£ Ǥ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ¹¤ë CPU affinity ¤òÀßÄê¤Ç¤­¤ë (sched_setaffinity(2))¡£ Ǥ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ·¤Æ I/O ¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥¯¥é¥¹¤ÈÍ¥ÀèÅÙ¤òÀßÄê¤Ç¤­¤ë (ioprio_set(2))¡£ migrate_pages(2) ¤òǤ°Õ¤Î¥×¥í¥»¥¹¤ËŬÍѤǤ­¡¢¥×¥í¥»¥¹¤òǤ°Õ¤Î¥Î¡¼¥É¤Ë°ÜÆ°¤Ç¤­¤ë¡£ move_pages(2) ¤òǤ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ·¤Æ¹Ô¤¦¤³¤È¤¬¤Ç¤­¤ë¡£ mbind(2) ¤È move_pages(2) ¤Ç MPOL_MF_MOVE_ALL ¥Õ¥é¥°¤ò»ÈÍѤǤ­¤ë¡£
CAP_SYS_PACCT
acct(2) ¤ò¸Æ¤Ó½Ð¤¹¤³¤È¤¬¤Ç¤­¤ë¡£
CAP_SYS_PTRACE
Ǥ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ· ptrace(2) ¤òÍѤ¤¤¿¥È¥ì¡¼¥¹¤ò¹Ô¤¦¤³¤È¤¬¤Ç¤­¤ë¡£
CAP_SYS_RAWIO
I/O ¥Ý¡¼¥ÈÁàºî¤ò¹Ô¤¦¤³¤È¤¬¤Ç¤­¤ë (iopl(2) ¡¢ ioperm(2))¡£ /proc/kcore ¤Ë¥¢¥¯¥»¥¹¤Ç¤­¤ë¡£
CAP_SYS_RESOURCE
°Ê²¼¤ÎÁàºî¤ò¹Ô¤¦¤³¤È¤¬¤Ç¤­¤ë: ext2 ¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à¾å¤ÇͽÌ󤵤ì¤Æ¤¤¤ëÎΰè¤Î»ÈÍÑ¡£ ext3 ¤Î¥¸¥ã¡¼¥Ê¥ëµ¡Ç½¤òÀ©¸æ¤¹¤ë ioctl(2) ¤Î»ÈÍÑ¡£¥Ç¥£¥¹¥¯ quota ¤Î¾å¸Â¤ò¾å½ñ¤­¡£ ¥ê¥½¡¼¥¹¾å¸Â¤òÁý¤ä¤¹¤³¤È (setrlimit(2))¡£ RLIMIT_NPROC ¤Ë¤è¤ë¥ê¥½¡¼¥¹À©¸Â¤Î¾å½ñ¤­¡£ ¥á¥Ã¥»¡¼¥¸¥­¥å¡¼¤Ë´Ø¤¹¤ë¾å¸Â msg_qbytes ¤ò /proc/sys/kernel/msgmnb ¤Ë»ØÄꤵ¤ì¤Æ¤¤¤ë¾å¸Â¤è¤ê¤âÂ礭¤¯ÀßÄꤹ¤ë¤³¤È (msgop(2) ¤È msgctl(2) »²¾È)
CAP_SYS_TIME
¥·¥¹¥Æ¥à¥¯¥í¥Ã¥¯¤òÊѹ¹¤Ç¤­¤ë (settimeofday(2), stime(2), adjtimex(2))¡£ ¥ê¥¢¥ë¥¿¥¤¥à (¥Ï¡¼¥É¥¦¥§¥¢) ¥¯¥í¥Ã¥¯¤òÊѹ¹¤Ç¤­¤ë¡£
CAP_SYS_TTY_CONFIG
vhangup(2) ¤ò¸Æ¤Ó½Ð¤¹¤³¤È¤¬¤Ç¤­¤ë¡£

¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È

³Æ¥¹¥ì¥Ã¥É¤Ï°Ê²¼¤Î 3¼ïÎà¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ò»ý¤Ä¡£³Æ¡¹¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ï ¾åµ­¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÁȤ߹ç¤ï¤»¤Ç¤¢¤ë (Á´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Ìµ¸ú¤Ç¤â¤è¤¤)¡£
¼Â¸ú (effective):
¥«¡¼¥Í¥ë¤¬¥¹¥ì¥Ã¥É¤Î¸¢¸Â¤ò¥Á¥§¥Ã¥¯¤¹¤ë¤È¤­¤Ë»ÈÍѤ¹¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£½¸¹ç¡£
µö²Ä (permitted):
¤½¤Î¥¹¥ì¥Ã¥É¤¬»ý¤Ä¤³¤È¤òµö²Ä¤µ¤ì¤Æ¤¤¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£½¸¹ç (¸À¤¤´¹¤¨¤ë¤È¡¢ ¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤È·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î¥¹¡¼¥Ñ¡¼¥»¥Ã¥È¤Ç¤¢¤ë)¡£ µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤«¤éºï½ü¤·¤Æ¤·¤Þ¤Ã¤¿¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¡¢ (set-user-ID-root ¥×¥í¥°¥é¥à¤ò execv(2) ¤·¤Ê¤¤¸Â¤ê¤Ï) ¤â¤¦°ìÅÙ³ÍÆÀ¤¹¤ë¤³¤È¤Ï¤Ç¤­¤Ê¤¤¡£
·Ñ¾µ²Äǽ (inheritable):
execve(2) ¤òÁ°¸å¤ÇÊÝ»ý¤µ¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£½¸¹ç¡£

fork(2) ¤ÇºîÀ®¤µ¤ì¤ë»Ò¥×¥í¥»¥¹¤Ï¡¢¿Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î¥³¥Ô¡¼¤ò·Ñ¾µ¤¹¤ë¡£ execve(2) Ãæ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î°·¤¤¤Ë¤Ä¤¤¤Æ¤Ï²¼µ­¤ò»²¾È¤Î¤³¤È¡£

capset(2) ¤ò»È¤¦¤È¡¢¥×¥í¥»¥¹¤Ï¼«Ê¬¼«¿È¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È ¤òÁàºî¤¹¤ë¤³¤È¤¬¤Ç¤­¤ë¡£¤Þ¤¿¡¢ CAP_SETPCAP ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤Æ¤¤¤ë¾ì¹ç¤Ë¤Ï¡¢ÊÌ¥×¥í¥»¥¹¤Î¥¹¥ì¥Ã¥É¤Î ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤âÁàºî¤Ç¤­¤ë¡£

¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È

¥×¥í¥°¥é¥à¤¬¼Â¹Ô¤µ¤ì¤ë¤È¡¢¡¢µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤È¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ë¤Ï¡¢ /proc/sys/kernel/cap-bound ¤ÇÄêµÁ¤µ¤ì¤Æ¤¤¤ë¡¢ ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È (capability bounding set) ¤È¤¤¤ï¤ì¤ëÃͤÈÏÀÍýϤò¤È¤Ã¤¿¸å¤ÎÃͤ¬ÀßÄꤵ¤ì¤ë¡£ ¤³¤Î¥Ñ¥é¥á¡¼¥¿¤ò»È¤¦¤³¤È¤Ç¡¢¤³¤ì¤è¤ê¸å¤Ç¼Â¹Ô¤µ¤ì¤ë¤¹¤Ù¤Æ¤Î¥×¥í¥°¥é¥à¤Ë Í¿¤¨¤é¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ËÂФ¹¤ë¥·¥¹¥Æ¥àÁ´ÂΤǤÎÀ©¸Â¤òÀߤ±¤ë¤³¤È¤¬¤Ç¤­¤ë¡£ (´Ö°ã¤¨¤ä¤¹¤¤¤¬¡¢¥Ó¥Ã¥È¥Þ¥¹¥¯·Á¼°¤Î¥Ñ¥é¥á¡¼¥¿¤Ï¡¢ /proc/sys/kernel/cap-bound ¤Ç¤ÏÉä¹æÉÕ¤­¤Î½½¿Ê¿ô¤Çɽ¼¨¤µ¤ì¤ë¡£)

init ¥×¥í¥»¥¹¤Î¤ß¤¬¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤òÀßÄꤹ¤ë¤³¤È¤¬½ÐÍè¤ë¡£ ¤Þ¤¿¡¢¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶¡¼¤Ç¤¢¤ì¤Ð¡¢¤³¤Î¥»¥Ã¥È¤«¤é¥Ó¥Ã¥È¤ò¥¯¥ê¥¢¤¹¤ëÁàºî ¤À¤±¤Ï¼Â¹Ô¤Ç¤­¤ë¡£

Ä̾ï¤Î¥·¥¹¥Æ¥à¤Ç¤Ï¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï¡¢ CAP_SETPCAP ¤¬Ìµ¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¡£ ¤³¤ÎÀ©¸Â¤ò¼è¤êµî¤ë¤Ë¤Ï (¼è¤êµî¤ë¤Î¤Ï´í¸±!)¡¢ include/linux/capability.h Æâ¤Î CAP_INIT_EFF_SET ¤ÎÄêµÁ¤ò½¤Àµ¤·¡¢¥«¡¼¥Í¥ë¤òºÆ¹½ÃÛ¤¹¤ëɬÍפ¬¤¢¤ë¡£

¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥Èµ¡Ç½¤Î Linux ¤Ø¤ÎÄÉ²Ã¤Ï ¥«¡¼¥Í¥ë 2.2.11 ¤«¤é³«»Ï¤µ¤ì¤¿¡£

¸½ºß¤È¾­Íè¤Î¼ÂÁõ

´°Á´¤Ê·Á¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¼ÂÁõ¤¹¤ë¤Ë¤Ï¡¢°Ê²¼¤ÎÍ×·ï¤òËþ¤¿¤¹É¬Íפ¬¤¢¤ë¡§
1.
Á´¤Æ¤ÎÆø¢Áàºî¤Ë¤Ä¤¤¤Æ¡¢¥«¡¼¥Í¥ë¤Ï¤½¤Î¥¹¥ì¥Ã¥É¤Î¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë ɬÍפʥ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¤¢¤ë¤«¤ò³Îǧ¤¹¤ë¡£
2.
¥«¡¼¥Í¥ë¤Ç¡¢¤¢¤ë¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤òÊѹ¹¤·¤¿¤ê¡¢ ¼èÆÀ¤·¤¿¤ê¤Ç¤­¤ë¥·¥¹¥Æ¥à¥³¡¼¥ë¤¬Ä󶡤µ¤ì¤ë¡£
3.
¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à¤¬¡¢¼Â¹Ô²Äǽ¥Õ¥¡¥¤¥ë¤Ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÉÕÍ¿¤Ç¤­¡¢¥Õ¥¡¥¤¥ë ¼Â¹Ô»þ¤Ë¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥×¥í¥»¥¹¤¬¼èÆÀ¤Ç¤­¤ë¤è¤¦¤Êµ¡Ç½¤ò¥µ¥Ý¡¼¥È¤¹¤ë¡£

Linux 2.6.6 ¤Ç¤Ï¡¢ºÇ½é¤Î 2¤Ä¤ÎÍ×·ï¤Î¤ß¤¬Ëþ¤¿¤µ¤ì¤Æ¤¤¤ë¡£

·ë¶É¡¢¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÈÏ¢·ë¤µ¤ì¡¢ execve(2) ¸å¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ò·èÄꤹ¤ë 3 ¤Ä¤Î ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤È¡¢¼Â¸ú²Äǽ¤Ê¥Õ¥¡¥¤¥ë¤È¤ò´Ø·¸ÉÕ¤±¤ë¤³¤È¤¬½ÐÍè¤ë¡£

·Ñ¾µ²Äǽ (Inheritable) (°ÊÁ°¤Î µöÍÆ (Allowed)):
¤³¤Î¥»¥Ã¥È¤Ï¡¢¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÈÏÀÍýϤ¬¤È¤é¤ì¡¢ execve(2) ¤Î¸å¤Ç¥¹¥ì¥Ã¥É¤Ëǧ¤á¤é¤ì¤ë·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î·èÄê¤Ë»È¤ï¤ì¤ë¡£
µö²Ä (Permitted) (°ÊÁ°¤Î¶¯À© (Forced)):
¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ë´Ø¤ï¤é¤º¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Ë¼«Æ°Åª¤Ë ǧ¤á¤é¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡£
¼Â¸ú (Effective):
¤½¤Î¥¹¥ì¥Ã¥É¤Î¿·¤·¤¤µö²Ä (permitted) ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î¤¦¤Á¡¢ ¿·¤·¤¤¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ç¤â¥»¥Ã¥È¤µ¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡£ (Ä̾ F(effective) ¤Ï¤¹¤Ù¤Æ 0 ¤«¡¢¤¹¤Ù¤Æ 1 ¤Î¤É¤Á¤é¤«¤È¤Ê¤ë)

ÅöÌ̤ϡ¢¥Õ¥¡¥¤¥ë¡¦¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬¼ÂÁõ¤µ¤ì¤Æ¤¤¤Ê¤¤¤Î¤Ç¡¢ execve(2) »þ¤Ë¤Ï°Ê²¼¤Î¤è¤¦¤Ê½èÍý¤¬¹Ô¤ï¤ì¤ë¡§

1.
3¼ïÎà¤Î¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ï½é´ü¾õÂ֤Ǥϥ¯¥ê¥¢¤µ¤ì¤Æ¤¤¤ë¤â¤Î¤È ²¾Äꤵ¤ì¤ë¡£
2.
set-user-ID-root ¥×¥í¥°¥é¥à¤¬¼Â¹Ô¤µ¤ì¤¿¾ì¹ç¤«¡¢¥×¥í¥»¥¹¤Î¼Â¥æ¡¼¥¶ID ¤¬ 0 (root) ¤Î¾ì¹ç¤Ï¡¢·Ñ¾µ²Äǽ¤Èµö²Ä¤Î¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬ ¤¹¤Ù¤Æ 1 (¤Ä¤Þ¤ê¡¢Á´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Í­¸ú) ¤Ë¥»¥Ã¥È¤µ¤ì¤ë¡£
3.
set-user-ID-root ¥×¥í¥°¥é¥à¤¬¼Â¹Ô¤µ¤ì¤¿¾ì¹ç¤Ï¡¢¼Â¸ú¥Õ¥¡¥¤¥ë ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬Á´¤Æ 1 ¤Ë¥»¥Ã¥È¤µ¤ì¤ë¡£

exec() Ãæ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÊѲ½

execve(2) Ãæ¤Ï¡¢¥«¡¼¥Í¥ë¤Ï¥×¥í¥»¥¹¤Î¿·¤·¤¤¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¼¡¤Î ¥¢¥ë¥´¥ê¥º¥à¤òÍѤ¤¤Æ·×»»¤¹¤ë¡§




P'(permitted) = (P(inheritable) & F(inheritable)) |

                (F(permitted) & cap_bset)



P'(effective) = P'(permitted) & F(effective)



P'(inheritable) = P(inheritable)    [¤Ä¤Þ¤ê¡¢Êѹ¹¤µ¤ì¤Ê¤¤]



³ÆÊÑ¿ô¤Î°ÕÌ£¤Ï°Ê²¼¤ÎÄ̤ê:
P
execve(2) Á°¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÃÍ
P'
execve(2) ¸å¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÃÍ
F
¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÃÍ
cap_bset
¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤ÎÃÍ

¸½ºß¤Î¼ÂÁõ¤Ç¤Ï¡¢¤³¤Î¥¢¥ë¥´¥ê¥º¥à¤Î·ë²Ì¡¢ ¥×¥í¥»¥¹¤¬ set-user-ID-root ¥×¥í¥°¥é¥à¤ò execve(2) ¤¹¤ë¤È¤­¡¢¤Þ¤¿¤Ï¼Â¸ú UID ¤¬ 0 ¤Î¥×¥í¥»¥¹¤¬¥×¥í¥°¥é¥à¤ò execve(2) ¤¹¤ë¤È¤­¡¢µö²Ä¤È¼Â¸ú¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÁ´¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£ (Àµ³Î¤Ë¤Ï¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ë¤è¤ë¥Þ¥¹¥¯¤Ç½ü³°¤µ¤ì¤ë¤â¤Î (¤Ä¤Þ¤ê CAP_SETPCAP) °Ê³°¤ÎÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£) ¤ò¼èÆÀ¤¹¤ë¤³¤È¤Ë¤Ê¤ë¡£ ¤³¤ì¤Ë¤è¤ê¡¢ÅÁÅýŪ¤Ê Unix ¥·¥¹¥Æ¥à¤ÈƱ¤¸¿¶¤ëÉñ¤¤¤¬¤Ç¤­¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤ë¡£

¥æ¡¼¥¶ ID Êѹ¹¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ø¤Î±Æ¶Á

¥æ¡¼¥¶ ID ¤¬ 0 ¤È 0 °Ê³°¤Î´Ö¤ÇÊѲ½¤¹¤ëºÝ¤Î¿¶¤ëÉñ¤¤¤ò½¾Íè¤ÈƱ¤¸¤Ë¤¹¤ë¤¿¤á¡¢ ¥¹¥ì¥Ã¥É¤Î¼Â UID¡¢¼Â¸ú UID¡¢Êݸ set-user-ID¡¢¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬ (setuid(2), setresuid(2) ¤Ê¤É¤ò»È¤Ã¤Æ) Êѹ¹¤µ¤ì¤¿ºÝ¤Ë¡¢¥«¡¼¥Í¥ë¤Ï¤½¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë °Ê²¼¤ÎÊѹ¹¤ò¹Ô¤¦:
1.
UID ¤ÎÊѹ¹Á°¤Ë¤Ï¼Â UID¡¢¼Â¸ú UID¡¢Êݸ set-user-ID ¤Î¤¦¤Á ¾¯¤Ê¤¯¤È¤â°ì¤Ä¤¬ 0 ¤Ç¡¢Êѹ¹¸å¤Ë¼Â UID¡¢¼Â¸ú UID¡¢Êݸ set-user-ID ¤¬ ¤¹¤Ù¤Æ 0 °Ê³°¤ÎÃͤˤʤ俾ì¹ç¡¢µö²Ä¤È¼Â¸ú¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î Á´¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥¯¥ê¥¢¤¹¤ë¡£
2.
¼Â¸ú UID ¤¬ 0 ¤«¤é 0 °Ê³°¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç¡¢ ¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÁ´¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥¯¥ê¥¢¤¹¤ë¡£
3.
¼Â¸ú UID ¤¬ 0 °Ê³°¤«¤é 0 ¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç¡¢ µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÆâÍƤò¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë¥³¥Ô¡¼¤¹¤ë¡£
4.
¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬ 0 ¤«¤é 0 °Ê³°¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç (setfsuid(2) »²¾È)¡¢¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î°Ê²¼¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥¯¥ê¥¢¤µ¤ì¤ë: CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID. ¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬ 0 °Ê³°¤«¤é 0 ¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç¡¢ ¾åµ­¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¤¦¤Áµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÇÍ­¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤â¤Î¤¬ ¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÇÍ­¸ú¤Ë¤µ¤ì¤ë¡£

³Æ¼ï UID ¤Î¤¦¤Á¾¯¤Ê¤¯¤È¤â°ì¤Ä¤¬ 0 ¤Ç¤¢¤ë¥¹¥ì¥Ã¥É¤¬¡¢ ¤½¤Î UID ¤ÎÁ´¤Æ¤¬ 0 °Ê³°¤Ë¤Ê¤Ã¤¿¤È¤­¤Ëµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬ ¥¯¥ê¥¢¤µ¤ì¤Ê¤¤¤è¤¦¤Ë¤·¤¿¤¤¾ì¹ç¤Ë¤Ï¡¢ prctl() ¤Î PR_SET_KEEPCAPS Áàºî¤ò»È¤¨¤Ð¤è¤¤¡£

½àµò

¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ë´Ø¤¹¤ëɸ½à¤Ï¤Ê¤¤¤¬¡¢ Linux ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÏÇѰƤˤʤä¿ POSIX.1e Áð°Æ¤Ë´ð¤Å¤¤¤Æ¼ÂÁõ¤µ¤ì¤Æ¤¤¤ë¡£

Ãí°Õ

libcap ¥Ñ¥Ã¥±¡¼¥¸¤Ï¡¢¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÀßÄꡦ¼èÆÀ¤¹¤ë¤¿¤á¤Î ¥ë¡¼¥Á¥ó·²¤òÄ󶡤·¤Æ¤¤¤ë¡£¤³¤ì¤é¤Î¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤Ï¡¢ capset(2) ¤È capget(2) ¤¬Ä󶡤¹¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ÈÈæ¤Ù¤Æ¡¢¤è¤ê»È¤¤¤ä¤¹¤¯¡¢Êѹ¹¤µ¤ì¤ë²ÄǽÀ­¤¬¾¯¤Ê¤¤¡£

¥Ð¥°

º£¤Î¤È¤³¤í¡¢¼Â¹Ô²Äǽ¥Õ¥¡¥¤¥ë¤Ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò·ë¤ÓÉÕ¤±¤ëµ¡Ç½¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤ë ¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à¤Ï¤Ê¤¤¡£

´ØÏ¢¹àÌÜ

capget(2), prctl(2), setfsuid(2), pthreads(7)