I was wondering how togive some program a certain set of capabilities (POSIX)
I searched the man pages, and found two functions capget and capset
But I cannot find more documents of how to use them or so
I also noticed a command line "lcap" which takes parameters but it seems not to work on kernel 2.4.18 so I think i have to download some patch or so
Any help please ?

Insert your application as a module, consult the Linux Kernel Module Programming Guide at www.tldp.org

cheers,
Maher

what excatly does capabelities mean in this context??
what are you trying to do??

sorry if I'm missing something obvious here.

cheers,
Alaa

Sorry, inserting your program as a module will not function as you expect it to, even though it will have many kernel capabilities. If you mean by capabilities like being root, I guess asking the user is the best choice, or if you mean by performing kernel functions then I suggest you fiddle around with the source code (and other documentation for it) till you find what you want !

Maher

Ok it seems that I've found an answer to my own question :)
So I'd like to post it here
Linux Capabilities
Is some new feature and it will be implemented in kernel 2.6.x
So all yu have to do is to download the new kernel and patch it with the patches found in this site
http://www.olafdietsche.de/linux/capability/

Please emphasise more on what do you mean by kernel capabilities!

maher

it seems to me that capabilities is like permissions but on the level of kernel services.

for instance the capability to ind low numbered port (ie to open and listen to low numbered ports like 80).

certain aspects of the operating system are only available to root, these things do not fit well with the Unix paradigm of everything is a file (network interfaces, tcp/ip ports and sockets etc) so there control is more or less arbitirary and directly through the kernel.
traditionaly if you wanted to give some program a capability like this it had to run as root (suid daemons), good coding habits dictate that such a program should open up whatever resources it needs then drop the root privilege thus reducing security risks.
however later POSIX standards have an ACL like system where you can give certain programs (maybe with certain user/group combinations) certain capabilities.

this is how I understood the thing from reading some kernel mailing list traffic, please correct me if I'm wrong.

cheers,
Alaa

Yes alaa, your understanding is correct.
the patch that was posted, works for kernel 2.5.4x and up.
and it is great feature, but needs some careful time to implement.
also, the ability to change capabilities is by default disabled, which kinda makes no sense, so there are few tricks to turn that on.
overall, I think this is yet to be stable, as of now, I would not recommend it on a production box.

Yep Sleepy
You are right
Kernel Capabilities are dividing the user privilage into smaller capabilities ..... insted of seteuid(0) , you can onle set the capability to open a raw sock ...etc by setcap , getcap ... and many other functions in the lpcap library

and what is wrong with libcap?? why do we need another solution??
how does libcap work anyway??

cheers,
Alaa

the problem is with software that was written without security in mind, without using additional features from libraries to ensure code security.Besides, the library itself wont solve the problem if the kernel implementation is missing.
what we are talking about here is transparently granting permissions to programs to do certain things but not others.
the most obvious example is something like ping, youcan take it further to shutdown, or mount or so forth.
now if you work for a company that develop linux based solution, you will often encounter the developers (or the code) wanting to do one thing here and there as root, you have few choices
you could implement your own mechanism, using unix traditional permissions, group ownership , seteuid etc etc but what the kernel capabilities offer is a clean easy way to manage all this without introducing new hazards.
read about it a little more, it is cool stuff, just not prime time yet.