LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Linux has file-flags too

Linux has file-flags too

Posted May 9, 2004 22:13 UTC (Sun) by sweikart (guest, #4276)
In reply to: Linux has file-flags too by eru
Parent article: OpenBSD 3.5: a peek at another free Unix

> ... the superuser can set or clear [immutable/append-only attributes].

With a Linux kernel, you can prevent clearing these flags by dropping CAP_LINUX_IMMUTABLE from the Capability Bounding Set by doing:

  echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-bound
And, to make the Linux kernel more secure then the similar OpenBSD setup, you can also drop CAP_SYS_MODULE and CAP_SYS_RAWIO (and similar capabilities). For a good description, see "Fun with the capability bounding set" at
  http://lwn.net/1999/1202/kernel.php3

(Log in to post comments)

Linux has file-flags too

Posted May 9, 2004 22:28 UTC (Sun) by sweikart (guest, #4276) [Link] 

> With a Linux kernel, you can prevent clearing these flags by
> dropping CAP_LINUX_IMMUTABLE from the Capability Bounding Set
> by doing:
>
>  echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-bound
Oops, I copied this line of code from the LWN article, and forgot to change it to drop CAP_LINUX_IMMUTABLE (the example above drops CAP_SYS_MODULE). To drop CAP_LINUX_IMMUTABLE, do
  echo 0xFFFFFDFF ?> /proc/sys/kernel/cap-bound

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds