To add the cap_net_raw capability to (for eg /bin/ping), we use the following:
#setcap cap_net_raw=ep /bin/ping
What is the meaning of ep and why is it required here ?
Asked
Active
Viewed 2.6k times
24
Ciro Santilli OurBigBook.com
- 347,512
- 102
- 1,199
- 985
Jake
- 16,329
- 50
- 126
- 202
-
http://kernel.org/doc/man-pages/online/pages/man7/capabilities.7.html and `man cap_from_text`. – Mat Oct 22 '11 at 15:57
-
https://unix.stackexchange.com/questions/389879/how-to-set-capabilities-with-setcap-command – Ciro Santilli OurBigBook.com Oct 05 '18 at 08:57
1 Answers
27
This sets the CAP_NET_RAW bit in both the "effective" (e) and "permitted" (p) capability sets. These two sets, along with the "inheritable" set, govern the capabilities that a process has or can set.
See more here:
Capability Sets
Each thread has three capability sets containing zero or more of the above capabilities:
Effective- the capabilities used by the kernel to perform permission checks for the thread.
Permitted- the capabilities that the thread may assume (i.e., a limiting superset for the effective and inheritable sets). If a thread drops a capability from its permitted set, it can never re-acquire that capability (unless it exec()s a set-user-ID-root program).
inheritable- the capabilities preserved across an execve(2). A child created via fork(2) inherits copies of its parent's capability sets. See below for a discussion of the treatment of capabilities during exec(). Using capset(2), a thread may manipulate its own capability sets, or, if it has the CAP_SETPCAP capability, those of a thread in another process.
chown
- 51,908
- 16
- 134
- 170