(split) Import translated manuals from JM CVS Repository.

[linuxjm/LDP_man-pages.git] / release / man7 / capabilities.7

.\" Copyright (c) 2002 by Michael Kerrisk <mtk.manpages@gmail.com>
.\"
.\" Permission is granted to make and distribute verbatim copies of this
.\" manual provided the copyright notice and this permission notice are
.\" preserved on all copies.
.\"
.\" Permission is granted to copy and distribute modified versions of this
.\" manual under the conditions for verbatim copying, provided that the
.\" entire resulting derived work is distributed under the terms of a
.\" permission notice identical to this one.
.\"
.\" Since the Linux kernel and libraries are constantly changing, this
.\" manual page may be incorrect or out-of-date.  The author(s) assume no
.\" responsibility for errors or omissions, or for damages resulting from
.\" the use of the information contained herein.  The author(s) may not
.\" have taken the same level of care in the production of this manual,
.\" which is licensed free of charge, as they might when working
.\" professionally.
.\"
.\" Formatted or processed versions of this manual, if unaccompanied by
.\" the source, must acknowledge the copyright and authors of this work.
.\"
.\" 6 Aug 2002 - Initial Creation
.\" Modified 2003-05-23, Michael Kerrisk, <mtk.manpages@gmail.com>
.\" Modified 2004-05-27, Michael Kerrisk, <mtk.manpages@gmail.com>
.\" 2004-12-08, mtk Added O_NOATIME for CAP_FOWNER
.\" 2005-08-16, mtk, Added CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE
.\" 2008-07-15, Serge Hallyn <serue@us.bbm.com>
.\"     Document file capabilities, per-process capability
.\"     bounding set, changed semantics for CAP_SETPCAP,
.\"     and other changes in 2.6.2[45].
.\"     Add CAP_MAC_ADMIN, CAP_MAC_OVERRIDE, CAP_SETFCAP.
.\" 2008-07-15, mtk
.\"     Add text describing circumstances in which CAP_SETPCAP
.\"     (theoretically) permits a thread to change the
.\"     capability sets of another thread.
.\"     Add section describing rules for programmatically
.\"     adjusting thread capability sets.
.\"     Describe rationale for capability bounding set.
.\"     Document "securebits" flags.
.\"     Add text noting that if we set the effective flag for one file
.\"     capability, then we must also set the effective flag for all
.\"     other capabilities where the permitted or inheritable bit is set.
.\"
.\" Japanese Version Copyright (c) 2005 Akihiro MOTOKI all rights reserved.
.\" Translated 2005-03-09, Akihiro MOTOKI <amotoki@dd.iij4u.or.jp>
.\" Updated 2005-11-04, Akihiro MOTOKI
.\" Updated 2006-04-16, Akihiro MOTOKI, LDP v2.29
.\" Updated 2006-07-20, Akihiro MOTOKI, LDP v2.34
.\" Updated 2007-01-05, Akihiro MOTOKI, LDP v2.43
.\" Updated 2008-12-24, Akihiro MOTOKI, LDP v3.15
.\" Updated 2009-02-27, Akihiro MOTOKI, LDP v3.19
.\" Updated 2010-04-11, Akihiro MOTOKI, LDP v3.24
.\"
.TH CAPABILITIES 7 2010-01-31 "Linux" "Linux Programmer's Manual"
.SH ̾Á°
capabilities \- Linux ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£ (capability) ¤Î³µÍ×
.SH ÀâÌÀ
¸¢¸Â¤Î¥Á¥§¥Ã¥¯¤ò¹Ô¤¦´ÑÅÀ¤«¤é¸«¤ë¤È¡¢ÅÁÅýŪ¤Ê Unix ¤Î¼ÂÁõ¤Ç¤Ï
¥×¥í¥»¥¹¤ÏÆó¤Ä¤Î¥«¥Æ¥´¥ê¤ËʬÎà¤Ç¤­¤ë:
.I Æø¢
¥×¥í¥»¥¹ (¼Â¸ú¥æ¡¼¥¶ID ¤¬ 0 ¤Î¥×¥í¥»¥¹¡£¥æ¡¼¥¶ID 0 ¤Ï
¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶¤ä root ¤È¸Æ¤Ð¤ì¤ë) ¤È
.I ÈóÆø¢
¥×¥í¥»¥¹ (¼Â¸ú¥æ¡¼¥¶ID ¤¬ 0 °Ê³°¤Î¥×¥í¥»¥¹) ¤Ç¤¢¤ë¡£
ÈóÆø¢¥×¥í¥»¥¹¤Ç¤Ï¡¢¥×¥í¥»¥¹¤Î»ñ³Ê¾ðÊó (Ä̾ï¤Ï¡¢¼Â¸úUID ¡¢¼Â¸úGID
¤ÈÄɲäΥ°¥ë¡¼¥×¥ê¥¹¥È) ¤Ë´ð¤Å¤¯¸¢¸Â¥Á¥§¥Ã¥¯¤¬¹Ô¤ï¤ì¤ë¤Î¤ËÂФ·¡¢
Æø¢¥×¥í¥»¥¹¤Ç¤ÏÁ´¤Æ¤Î¥«¡¼¥Í¥ë¤Î¸¢¸Â¥Á¥§¥Ã¥¯¤¬¥Ð¥¤¥Ñ¥¹¤µ¤ì¤ë¡£

¥Ð¡¼¥¸¥ç¥ó 2.2 °Ê¹ß¤Î Linux ¤Ç¤Ï¡¢
¤³¤ì¤Þ¤Ç¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶¤Ë·ë¤ÓÉÕ¤±¤é¤ì¤Æ¤­¤¿¸¢¸Â¤ò¡¢
¤¤¤¯¤Ä¤«¤Î¥°¥ë¡¼¥×¤Ëʬ³ä¤·¤Æ¤¤¤ë¡£¤³¤ì¤é¤Î¥°¥ë¡¼¥×¤Ï
.IR ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£ (capability)
¤È¸Æ¤Ð¤ì¡¢¥°¥ë¡¼¥×Ëè¤ËÆÈΩ¤ËÍ­¸ú¡¢Ìµ¸ú¤òÀßÄê¤Ç¤­¤ë¡£
¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¥¹¥ì¥Ã¥Éñ°Ì¤Î°À­¤Ç¤¢¤ë¡£
.\"
.SS ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¥ê¥¹¥È
°Ê²¼¤Î¥ê¥¹¥È¤Ï¡¢
Linux ¤Ç¼ÂÁõ¤µ¤ì¤Æ¤¤¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤È
³Æ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬µö²Ä¤¹¤ëÁàºî¤ÈÆ°ºî¤ò¤Þ¤È¤á¤¿¤â¤Î¤Ç¤¢¤ë¡£
.TP
.BR CAP_AUDIT_CONTROL " (Linux 2.6.11 °Ê¹ß)"
¥«¡¼¥Í¥ë´Æºº (audit) ¤ÎÍ­¸ú̵¸ú¤ÎÀÚ¤êÂؤ¨¡¢
´Æºº¤Î¥Õ¥£¥ë¥¿¡¦¥ë¡¼¥ë¤ÎÊѹ¹¡¢
´Æºº¤Î¾õ¶·¤ä¥Õ¥£¥ë¥¿¡¦¥ë¡¼¥ë¤Î¼èÆÀ¤¬¤Ç¤­¤ë¡£
.TP
.BR CAP_AUDIT_WRITE " (Linux 2.6.11 °Ê¹ß)"
¥«¡¼¥Í¥ë´Æºº¤Î¥í¥°¤Ë¥ì¥³¡¼¥É¤ò½ñ¤­¹þ¤à¡£
.TP
.B CAP_CHOWN
¥Õ¥¡¥¤¥ë¤Î UID ¤ÈGID ¤òǤ°Õ¤ËÊѹ¹¤¹¤ë
.RB ( chown (2)
»²¾È)¡£
.TP
.B CAP_DAC_OVERRIDE
¥Õ¥¡¥¤¥ë¤ÎÆɤ߽Ф·¡¢½ñ¤­¹þ¤ß¡¢¼Â¹Ô¤Î¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë
(DAC ¤Ï "discretionary access control (Ǥ°Õ¤Î¥¢¥¯¥»¥¹À©¸æ)" ¤Îά¤Ç¤¢¤ë)¡£
.TP
.B CAP_DAC_READ_SEARCH
¥Õ¥¡¥¤¥ë¤ÎÆɤ߽Ф·¸¢¸Â¤Î¥Á¥§¥Ã¥¯¤È¥Ç¥£¥ì¥¯¥È¥ê¤ÎÆɤ߽Ф·¤È¼Â¹Ô
¤Î¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë¡£
.TP
.B CAP_FOWNER
.PD 0
.RS
.IP * 2
Ä̾¥×¥í¥»¥¹¤Î¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬¥Õ¥¡¥¤¥ë¤Î UID ¤Ë°ìÃפ¹¤ë¤³¤È¤¬
Í׵ᤵ¤ì¤ëÁàºî (Î㤨¤Ð
.BR chmod (2),
.BR utime (2))
¤Ë¤ª¤±¤ë¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë¡£
⤷¡¢
.B CAP_DAC_OVERRIDE
¤«
.B CAP_DAC_READ_SEARCH
¤Ë¤è¤ê¥Á¥§¥Ã¥¯¤¬¹Ô¤ï¤ì¤ëÁàºî¤Ï½ü¤¯¡£
.IP *
Ǥ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ³ÈÄ¥¥Õ¥¡¥¤¥ë°À­¤òÀßÄꤹ¤ë
.RB ( chattr (1)
»²¾È)¡£
.IP *
Ǥ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ¥¢¥¯¥»¥¹À©¸æ¥ê¥¹¥È (ACL) ¤òÀßÄꤹ¤ë¡£
.IP *
¥Õ¥¡¥¤¥ë¤Îºï½ü¤ÎºÝ¤Ë¥Ç¥£¥ì¥¯¥È¥ê¤Î¥¹¥Æ¥£¥Ã¥­¡¼¥Ó¥Ã¥È¤ò̵»ë¤¹¤ë¡£
.IP *
.BR open (2)
¤ä
.BR fcntl (2)
¤ÇǤ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ
.B O_NOATIME
¤ò»ØÄꤹ¤ë¡£
.RE
.PD
.TP
.B CAP_FSETID
¥Õ¥¡¥¤¥ë¤¬Êѹ¹¤µ¤ì¤¿¤È¤­¤Ë set-user-ID ¤Èset-group-ID ¤Îµö²Ä¥Ó¥Ã¥È¤ò¥¯¥ê¥¢
¤·¤Ê¤¤¡£¸Æ¤Ó½Ð¤·¸µ¥×¥í¥»¥¹¤Î¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à GID ¤ÈÄɲäΠGID ¤Î¤¤¤º¤ì¤È¤â
GID ¤¬°ìÃפ·¤Ê¤¤¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ set-group-ID ¥Ó¥Ã¥È¤òÀßÄꤹ¤ë¡£
.TP
.B CAP_IPC_LOCK
¥á¥â¥ê¡¼¤Î¥í¥Ã¥¯
.RB ( mlock (2),
.BR mlockall (2),
.BR mmap (2),
.BR shmctl (2))
¤ò¹Ô¤¦¡£
.TP
.B CAP_IPC_OWNER
System V IPC ¥ª¥Ö¥¸¥§¥¯¥È¤ËÂФ¹¤ëÁàºî¤Ë´Ø¤·¤Æ¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë¡£
.TP
.B CAP_KILL
¥·¥°¥Ê¥ë¤òÁ÷¿®¤¹¤ëºÝ¤Ë¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë
.RB ( kill (2)
»²¾È)¡£¤³¤ì¤Ë¤Ï
.BR ioctl (2)
¤Î
.B KDSIGACCEPT
Áàºî¤Î»ÈÍѤâ´Þ¤Þ¤ì¤ë¡£
.\" FIXME CAP_KILL also has an effect for threads + setting child
.\"       termination signal to other than SIGCHLD: without this
.\"       capability, the termination signal reverts to SIGCHLD
.\"       if the child does an exec().  What is the rationale
.\"       for this?
.TP
.BR CAP_LEASE " (Linux 2.4 °Ê¹ß)"
Ǥ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ
¥Õ¥¡¥¤¥ë¥ê¡¼¥¹¤òÀßÄꤹ¤ë
.RB ( fcntl (2)
»²¾È)¡£
.TP
.B CAP_LINUX_IMMUTABLE
³ÈÄ¥¥Õ¥¡¥¤¥ë°À­
.B FS_APPEND_FL
¤È
.B FS_IMMUTABLE_FL
¤òÀßÄꤹ¤ë
.RB ( chattr (1)
»²¾È)¡£
.\" ¤³¤ì¤é¤Î°À­¤Ï ext2, ext3, Reiserfs, XFS, JFS ¤ÇÍøÍѲÄǽ¤Ç¤¢¤ë¡£
.TP
.BR CAP_MAC_ADMIN " (Linux 2.6.25 °Ê¹ß)"
¶¯À©¥¢¥¯¥»¥¹À©¸æ (MAC) ¤ò¾å½ñ¤­¤¹¤ë¡£
Smack Linux Security Module (LSM) ÍѤ˼ÂÁõ¤µ¤ì¤Æ¤¤¤ë¡£
.TP
.BR CAP_MAC_OVERRIDE " (Linux 2.6.25 °Ê¹ß)"
MAC ¤ÎÀßÄê¤ä¾õÂÖ¤òÊѹ¹¤¹¤ë¡£
Smack LSM ÍѤ˼ÂÁõ¤µ¤ì¤Æ¤¤¤ë¡£
.TP
.BR CAP_MKNOD " (Linux 2.4 °Ê¹ß)"
(Linux 2.4 °Ê¹ß)
.BR mknod (2)
¤ò»ÈÍѤ·¤Æ¥¹¥Ú¥·¥ã¥ë¡¦¥Õ¥¡¥¤¥ë¤òºîÀ®¤¹¤ë¡£
.TP
.B CAP_NET_ADMIN
³Æ¼ï¤Î¥Í¥Ã¥È¥ï¡¼¥¯´ØÏ¢¤ÎÁàºî¤ò¼Â¹Ô¤¹¤ë¡£
(Î㤨¤Ð¡¢Æø¢¤¬É¬Íפʥ½¥±¥Ã¥È¥ª¥×¥·¥ç¥ó¤òÀßÄꤹ¤ë¡¢¥Þ¥ë¥Á¥­¥ã¥¹¥È¤òÍ­¸ú¤Ë¤¹¤ë¡¢
¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤òÀßÄꤹ¤ë¡¢¥ë¡¼¥Æ¥£¥ó¥°¥Æ¡¼¥Ö¥ë¤òÊѹ¹¤¹¤ë¤Ê¤É)
.TP
.B CAP_NET_BIND_SERVICE
¥¤¥ó¥¿¡¼¥Í¥Ã¥È¥É¥á¥¤¥ó¤ÎÆø¢¥Ý¡¼¥È (¥Ý¡¼¥ÈÈֹ椬 1024 ÈÖ̤Ëþ)
¤ò¥Ð¥¤¥ó¥É¤Ç¤­¤ë¡£
.TP
.B CAP_NET_BROADCAST
(̤»ÈÍÑ) ¥½¥±¥Ã¥È¤Î¥Ö¥í¡¼¥É¥­¥ã¥¹¥È¤È¡¢¥Þ¥ë¥Á¥­¥ã¥¹¥È¤ÎÂÔ¤Á¼õ¤±¤ò¹Ô¤¦¡£
.TP
.B CAP_NET_RAW
RAW ¥½¥±¥Ã¥È¤È PACKET ¥½¥±¥Ã¥È¤ò»ÈÍѤ¹¤ë¡£
.\" ¤Þ¤¿¡¢³Æ¼ï¤Î IP ¥ª¥×¥·¥ç¥ó¤È SO_BINDTODEVICE ¥½¥±¥Ã¥È¥ª¥×¥·¥ç¥ó¤ò»ÈÍѤǤ­¤ë¡£
.TP
.B CAP_SETGID
¥×¥í¥»¥¹¤Î GID ¤ÈÄɲäΠGID ¥ê¥¹¥È¤ËÂФ¹¤ëǤ°Õ¤ÎÁàºî¤ò¹Ô¤¦¡£
Unix ¥É¥á¥¤¥ó¥½¥±¥Ã¥È·Ðͳ¤Ç¥½¥±¥Ã¥È¤Î»ñ³Ê¾ðÊó (credential) ¤òÅϤ¹ºÝ¤Ë
µ¶¤Î GID ¤òÅϤ¹¤³¤È¤¬¤Ç¤­¤ë¡£
.TP
.BR CAP_SETFCAP " (Linux 2.6.24 °Ê¹ß)"
¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÀßÄꤹ¤ë¡£
.TP
.B CAP_SETPCAP
¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç:
¸Æ¤Ó½Ð¤·¸µ¤¬µö²Ä¤µ¤ì¤Æ¤¤¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë´Þ¤Þ¤ì¤ëǤ°Õ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¡¢
¾¤Î¥×¥í¥»¥¹¤ËÉÕÍ¿¤·¤¿¤ê¡¢ºï½ü¤·¤¿¤ê¤Ç¤­¤ë¡£
(¥«¡¼¥Í¥ë¤¬¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤ë¾ì¹ç¡¢
.B CAP_SETPCAP
¤Ï¤³¤ÎÌò³ä¤ò»ý¤¿¤Ê¤¤¡£
¤Ê¤¼¤Ê¤é¡¢¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤ë¥«¡¼¥Í¥ë¤Ç¤Ï
.B CAP_SETPCAP
¤ÏÁ´¤¯Ê̤ΰÕÌ£¤ò»ý¤Ä¤«¤é¤Ç¤¢¤ë¡£)

¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤ë¾ì¹ç:
¸Æ¤Ó½Ð¤·¸µ¥¹¥ì¥Ã¥É¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤ÎǤ°Õ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò
¼«¿È¤Î·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ËÄɲäǤ­¤ë¡£
.RB ( prctl (2)
.BR PR_CAPBSET_DROP
¤ò»È¤Ã¤Æ)
¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òºï½ü¤Ç¤­¤ë¡£
.I securebits
¥Õ¥é¥°¤òÊѹ¹¤Ç¤­¤ë¡£
.TP
.B CAP_SETUID
¥×¥í¥»¥¹¤Î UID ¤ËÂФ¹¤ëǤ°Õ¤ÎÁàºî
.RB ( setuid (2),
.BR setreuid (2),
.BR setresuid (2),
.BR setfsuid (2))
¤ò¹Ô¤¦¡£
Unix ¥É¥á¥¤¥ó¥½¥±¥Ã¥È·Ðͳ¤Ç¥½¥±¥Ã¥È¤Î»ñ³Ê¾ðÊó (credential) ¤òÅϤ¹ºÝ¤Ë
µ¶¤Î UID ¤òÅϤ¹¤³¤È¤¬¤Ç¤­¤ë¡£
.\" FIXME CAP_SETUID also an effect in exec(); document this.
.TP
.B CAP_SYS_ADMIN
.PD 0
.RS
.IP * 2
°Ê²¼¤Î¥·¥¹¥Æ¥à´ÉÍýÍѤÎÁàºî¤ò¼Â¹Ô¤¹¤ë:
.BR quotactl (2),
.BR mount (2),
.BR umount (2),
.BR swapon (2),
.BR swapoff (2),
.BR sethostname (2),
.BR setdomainname (2).
.IP *
Ǥ°Õ¤Î System V IPC ¥ª¥Ö¥¸¥§¥¯¥È¤ËÂФ¹¤ë
.B IPC_SET
¤È
.B IPC_RMID
Áàºî¤ò¼Â¹Ô¤¹¤ë¡£
.IP *
³Èĥ°À­
.I trusted
¤È
.I security
¤ËÂФ¹¤ëÁàºî¤ò¼Â¹Ô¤¹¤ë
.RB ( attr (5)
»²¾È)¡£
.IP *
.BR lookup_dcookie (2)
¤ò¸Æ¤Ó½Ð¤¹¡£
.IP *
.BR ioprio_set (2)
¤ò»È¤Ã¤Æ I/O ¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥¯¥é¥¹
.BR IOPRIO_CLASS_RT ,
.B IOPRIO_CLASS_IDLE
¤ò³ä¤êÅö¤Æ¤ë
.RB ( IOPRIO_CLASS_IDLE
¤Ï Linux 2.6.25 ¤è¤êÁ°¤Î¥Ð¡¼¥¸¥ç¥ó¤Î¤ß)¡£
.IP *
¥½¥±¥Ã¥È¤Î»ñ³Ê¾ðÊó (credential) ¤òÅϤ¹ºÝ¤Ëµ¶¤Î UID ¤òÅϤ¹¡£
.IP *
¥Õ¥¡¥¤¥ë¤ò¥ª¡¼¥×¥ó¤¹¤ë¥·¥¹¥Æ¥à¥³¡¼¥ë (Î㤨¤Ð
.BR accept (2),
.BR execve (2),
.BR open (2),
.BR pipe (2))
¤Ç¥·¥¹¥Æ¥àÁ´ÂΤǥª¡¼¥×¥ó¤Ç¤­¤ë¥Õ¥¡¥¤¥ë¿ô¤Î¾å¸Â
.I /proc/sys/fs/file-max
¤òĶ²á¤¹¤ë¡£
.IP *
.BR clone (2)
¤È
.BR unshare (2)
¤Ç
.B CLONE_NEWNS
¥Õ¥é¥°¤òÍøÍѤ¹¤ë¡£
.IP *
.BR keyctl (2)
¤Î
.B KEYCTL_CHOWN
¤È
.B KEYCTL_SETPERM
Áàºî¤ò¼Â¹Ô¤¹¤ë¡£
.RE
.PD
.TP
.B CAP_SYS_BOOT
.BR reboot (2)
¤È
.BR kexec_load (2)
¤ò¸Æ¤Ó½Ð¤¹¡£
.TP
.B CAP_SYS_CHROOT
.BR chroot (2).
¤ò¸Æ¤Ó½Ð¤¹¡£
.TP
.B CAP_SYS_MODULE
¥«¡¼¥Í¥ë¥â¥¸¥å¡¼¥ë¤Î¥í¡¼¥É¡¢¥¢¥ó¥í¡¼¥É¤ò¹Ô¤¦
.RB ( init_module (2)
¤È
.BR delete_module (2)
¤ò»²¾È¤Î¤³¤È)¡£
¥Ð¡¼¥¸¥ç¥ó 2.6.25 ¤è¤êÁ°¤Î¥«¡¼¥Í¥ë¤Ç¡¢
¥·¥¹¥Æ¥àÁ´ÂΤΥ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È (capability bounding set)
¤«¤é¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò³°¤¹¡£
.TP
.B CAP_SYS_NICE
.PD 0
.RS
.IP * 2
¥×¥í¥»¥¹¤Î nice Ãͤΰú¤­¾å¤²
.RB ( nice (2),
.BR setpriority (2))
¤ä¡¢Ç¤°Õ¤Î¥×¥í¥»¥¹¤Î nice ÃͤÎÊѹ¹¤ò¹Ô¤¦¡£
.IP *
¸Æ¤Ó½Ð¤·¸µ¥×¥í¥»¥¹¤ËÂФ¹¤ë¥ê¥¢¥ë¥¿¥¤¥à¡¦¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥Ý¥ê¥·¡¼¤È¡¢
Ǥ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ¹¤ë¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥Ý¥ê¥·¡¼¤ÈÍ¥ÀèÅÙ¤òÀßÄꤹ¤ë
.RB ( sched_setscheduler (2),
.BR sched_setparam (2))¡£
.IP *
Ǥ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ¹¤ë CPU affinity ¤òÀßÄê¤Ç¤­¤ë
.RB ( sched_setaffinity (2))¡£
.IP *
Ǥ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ·¤Æ I/O ¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥¯¥é¥¹¤ÈÍ¥ÀèÅÙ¤òÀßÄê¤Ç¤­¤ë
.RB ( ioprio_set (2))¡£
.IP *
.BR migrate_pages (2)
¤òǤ°Õ¤Î¥×¥í¥»¥¹¤ËŬÍѤ·¡¢¥×¥í¥»¥¹¤òǤ°Õ¤Î¥Î¡¼¥É¤Ë°ÜÆ°¤¹¤ë¡£
.\" FIXME CAP_SYS_NICE also has the following effect for
.\" migrate_pages(2):
.\"     do_migrate_pages(mm, &old, &new,
.\"         capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE);
.IP *
.BR move_pages (2)
¤òǤ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ·¤Æ¹Ô¤¦¡£
.IP *
.BR mbind (2)
¤È
.BR move_pages (2)
¤Ç
.B MPOL_MF_MOVE_ALL
¥Õ¥é¥°¤ò»ÈÍѤ¹¤ë¡£
.RE
.PD
.TP
.B CAP_SYS_PACCT
.BR acct (2)
¤ò¸Æ¤Ó½Ð¤¹¡£
.TP
.B CAP_SYS_PTRACE
.BR ptrace (2)
¤ò»È¤Ã¤ÆǤ°Õ¤Î¥×¥í¥»¥¹¤ò¥È¥ì¡¼¥¹¤¹¤ë¡£
.TP
.B CAP_SYS_RAWIO
I/O ¥Ý¡¼¥ÈÁàºî¤ò¼Â¹Ô¤¹¤ë
.RB ( iopl (2)
¡¢
.BR ioperm (2))¡£
.I /proc/kcore
¤Ë¥¢¥¯¥»¥¹¤Ç¤­¤ë¡£
.TP
.B CAP_SYS_RESOURCE
.PD 0
.RS
.IP * 2
ext2 ¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à¾å¤ÎͽÌ󤵤ì¤Æ¤¤¤ëÎΰè¤ò»ÈÍѤ¹¤ë¡£
.IP *
ext3 ¤Î¥¸¥ã¡¼¥Ê¥ëµ¡Ç½¤òÀ©¸æ¤¹¤ë
.BR ioctl (2)
¤ò»ÈÍѤ¹¤ë¡£
.IP *
¥Ç¥£¥¹¥¯ quota ¤Î¾å¸Â¤ò¾å½ñ¤­¤¹¤ë¡£
.IP *
¥ê¥½¡¼¥¹¾å¸Â¤òÁý¤ä¤¹
.RB ( setrlimit (2))¡£
.IP *
.B RLIMIT_NPROC
¥ê¥½¡¼¥¹À©¸Â¤ò¾å½ñ¤­¤¹¤ë¡£
.IP *
¥á¥Ã¥»¡¼¥¸¥­¥å¡¼¤Ë´Ø¤¹¤ë¾å¸Â
.I msg_qbytes
¤ò
.I /proc/sys/kernel/msgmnb
¤Ë»ØÄꤵ¤ì¤Æ¤¤¤ë¾å¸Â¤è¤ê¤âÂ礭¤¯ÀßÄꤹ¤ë
.RB ( msgop (2)
¤È
.BR msgctl (2)
»²¾È)¡£
.RE
.PD
.TP
.B CAP_SYS_TIME
¥·¥¹¥Æ¥à¥¯¥í¥Ã¥¯¤òÊѹ¹¤¹¤ë
.RB ( settimeofday (2),
.BR stime (2),
.BR adjtimex (2))¡£
¥ê¥¢¥ë¥¿¥¤¥à (¥Ï¡¼¥É¥¦¥§¥¢) ¥¯¥í¥Ã¥¯¤òÊѹ¹¤¹¤ë¡£
.TP
.B CAP_SYS_TTY_CONFIG
.BR vhangup (2)
¤ò¸Æ¤Ó½Ð¤¹¡£
.\"
.SS ²áµî¤È¸½ºß¤Î¼ÂÁõ
´°Á´¤Ê·Á¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¼ÂÁõ¤¹¤ë¤Ë¤Ï¡¢°Ê²¼¤ÎÍ×·ï¤òËþ¤¿¤¹É¬Íפ¬¤¢¤ë¡§
.IP 1. 3
Á´¤Æ¤ÎÆø¢Áàºî¤Ë¤Ä¤¤¤Æ¡¢¥«¡¼¥Í¥ë¤Ï¤½¤Î¥¹¥ì¥Ã¥É¤Î¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë
ɬÍפʥ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¤¢¤ë¤«¤ò³Îǧ¤¹¤ë¡£
.IP 2.
¥«¡¼¥Í¥ë¤Ç¡¢¤¢¤ë¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤òÊѹ¹¤·¤¿¤ê¡¢
¼èÆÀ¤·¤¿¤ê¤Ç¤­¤ë¥·¥¹¥Æ¥à¥³¡¼¥ë¤¬Ä󶡤µ¤ì¤ë¡£
.IP 3.
¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à¤¬¡¢¼Â¹Ô²Äǽ¥Õ¥¡¥¤¥ë¤Ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÉÕÍ¿¤Ç¤­¡¢¥Õ¥¡¥¤¥ë
¼Â¹Ô»þ¤Ë¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥×¥í¥»¥¹¤¬¼èÆÀ¤Ç¤­¤ë¤è¤¦¤Êµ¡Ç½¤ò¥µ¥Ý¡¼¥È¤¹¤ë¡£
.PP
¥«¡¼¥Í¥ë 2.6.24 ¤è¤êÁ°¤Ç¤Ï¡¢ºÇ½é¤Î 2¤Ä¤ÎÍ×·ï¤Î¤ß¤¬Ëþ¤¿¤µ¤ì¤Æ¤¤¤ë¡£
¥«¡¼¥Í¥ë 2.6.24 °Ê¹ß¤Ç¤Ï¡¢3¤Ä¤ÎÍ׷魯¤Ù¤Æ¤¬Ëþ¤¿¤µ¤ì¤Æ¤¤¤ë¡£
.\"
.SS ¥¹¥ì¥Ã¥É¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È
³Æ¥¹¥ì¥Ã¥É¤Ï°Ê²¼¤Î 3¼ïÎà¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ò»ý¤Ä¡£³Æ¡¹¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ï
¾åµ­¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÁȤ߹ç¤ï¤»¤Ç¤¢¤ë (Á´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Ìµ¸ú¤Ç¤â¤è¤¤)¡£
.TP
.IR "µö²Ä (permitted)" :
¤½¤Î¥¹¥ì¥Ã¥É¤¬»ý¤Ä¤³¤È¤Ë¤Ê¤Ã¤Æ¤¤¤ë¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î
¸ÂÄêŪ¤Ê¥¹¡¼¥Ñ¡¼¥»¥Ã¥È¤Ç¤¢¤ë¡£
¤³¤ì¤Ï¡¢¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë
.B CAP_SETPCAP
¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤Æ¤¤¤Ê¤¤¥¹¥ì¥Ã¥É¤¬·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë
ÄɲòÄǽ¤Ê¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¸ÂÄêŪ¤Ê¥¹¡¼¥Ñ¡¼¥»¥Ã¥È¤Ç¤â¤¢¤ë¡£

µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤«¤éºï½ü¤·¤Æ¤·¤Þ¤Ã¤¿¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¡¢
(set-user-ID-root ¥×¥í¥°¥é¥à¤«¡¢
¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Çµö²Ä¤·¤Æ¤¤¤ë¥×¥í¥°¥é¥à¤ò
.BR execve (2)
¤·¤Ê¤¤¸Â¤ê¤Ï) ¤â¤¦°ìÅÙ³ÍÆÀ¤¹¤ë¤³¤È¤Ï¤Ç¤­¤Ê¤¤¡£
.TP
.IR "·Ñ¾µ²Äǽ (inheritable)" :
.BR execve (2)
¤òÁ°¸å¤ÇÊÝ»ý¤µ¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ç¤¢¤ë¡£
¤³¤Î»ÅÁȤߤò»È¤¦¤³¤È¤Ç¡¢¤¢¤ë¥×¥í¥»¥¹¤¬
.BR execve (2)
¤ò¹Ô¤¦ºÝ¤Ë¿·¤·¤¤¥×¥í¥°¥é¥à¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤È¤·¤Æ
³ä¤êÅö¤Æ¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
.TP
.IR "¼Â¸ú (effective)" :
¥«¡¼¥Í¥ë¤¬¥¹¥ì¥Ã¥É¤Î¸¢¸Â (permission) ¤ò¥Á¥§¥Ã¥¯¤¹¤ë¤È¤­¤Ë
»ÈÍѤ¹¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ç¤¢¤ë¡£
.PP
.BR fork (2)
¤ÇºîÀ®¤µ¤ì¤ë»Ò¥×¥í¥»¥¹¤Ï¡¢¿Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î¥³¥Ô¡¼¤ò·Ñ¾µ¤¹¤ë¡£
.BR execve (2)
Ãæ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î°·¤¤¤Ë¤Ä¤¤¤Æ¤Ï²¼µ­¤ò»²¾È¤Î¤³¤È¡£
.PP
.BR capset (2)
¤ò»È¤¦¤È¡¢¥×¥í¥»¥¹¤Ï¼«Ê¬¼«¿È¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È
¤òÁàºî¤¹¤ë¤³¤È¤¬¤Ç¤­¤ë (²¼µ­»²¾È)¡£
.\"
.SS ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£
¥«¡¼¥Í¥ë 2.6.24 °Ê¹ß¤Ç¤Ï¡¢
.BR setcap (8)
¤ò»È¤Ã¤Æ¼Â¹Ô¥Õ¥¡¥¤¥ë¤Ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤òÂбþÉÕ¤±¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ï
.I "security.capability"
¤È¤¤¤¦Ì¾Á°¤Î³Èĥ°À­¤ËÊݸ¤µ¤ì¤ë
.RB ( setxattr (2)
»²¾È)¡£¤³¤Î³Èĥ°À­¤Ø¤Î½ñ¤­¹þ¤ß¤Ë¤Ï
.B CAP_SETFCAP
¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬É¬ÍפǤ¢¤ë¡£
¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤È¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎξÊý¤¬
¹Í褵¤ì¡¢
.BR execve (2)
¸å¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬·èÄꤵ¤ì¤ë¡£

3 ¤Ä¤Î¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬ÄêµÁ¤µ¤ì¤Æ¤¤¤ë¡£
.TP
.IR "µö²Ä (Permitted)" " (°ÊÁ°¤Î" "¶¯À© (Forced)" "):"
¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ë´Ø¤ï¤é¤º¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Ë¼«Æ°Åª¤Ë
ǧ¤á¤é¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡£
.TP
.IR "·Ñ¾µ²Äǽ (Inheritable)" " (°ÊÁ°¤Î " "µöÍÆ (Allowed)" "):"
¤³¤Î¥»¥Ã¥È¤È¡¢¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤È¤Î
ÏÀÍýÀÑ (AND) ¤¬¤È¤é¤ì¡¢
.BR execve (2)
¤Î¸å¤Ë¤½¤Î¥¹¥ì¥Ã¥É¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÇÍ­¸ú¤È¤Ê¤ë
·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬·èÄꤵ¤ì¤ë¡£
.TP
.IR "¼Â¸ú (Effective)" :
¤³¤ì¤Ï½¸¹ç¤Ç¤Ï¤Ê¤¯¡¢1 ¥Ó¥Ã¥È¤Î¾ðÊó¤Ç¤¢¤ë¡£
¤³¤Î¥Ó¥Ã¥È¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤ë¤È¡¢
.BR execve (2)
¼Â¹ÔÃæ¤Ë¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Î¿·¤·¤¤µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Á´¤Æ
¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£½¸¹ç¤Ë¤ª¤¤¤Æ¤â¥»¥Ã¥È¤µ¤ì¤ë¡£
¤³¤Î¥Ó¥Ã¥È¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢
.BR execve (2)
¸å¤Ë¤Ï¿·¤·¤¤µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¤É¤ì¤â¿·¤·¤¤¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£½¸¹ç
¤Ë¥»¥Ã¥È¤µ¤ì¤Ê¤¤¡£

¥Õ¥¡¥¤¥ë¤Î¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ó¥Ã¥È¤òÍ­¸ú¤Ë¤¹¤ë¤È¤¤¤¦¤Î¤Ï¡¢
.BR execve (2)
¼Â¹Ô»þ¤Ë¡¢¥Õ¥¡¥¤¥ë¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤È·Ñ¾µ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ËÂбþ¤¹¤ë¤â¤Î¤¬
¥¹¥ì¥Ã¥É¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤È¤·¤Æ¥»¥Ã¥È¤µ¤ì¤ë¤¬¡¢
¤³¤ì¤¬¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë¤â¥»¥Ã¥È¤µ¤ì¤ë¤È¤¤¤¦¤³¤È¤Ç¤¢¤ë
(¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÊÑ´¹¥ë¡¼¥ë¤Ï²¼µ­»²¾È)¡£
¤·¤¿¤¬¤Ã¤Æ¡¢¥Õ¥¡¥¤¥ë¤Ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò³ä¤êÅö¤Æ¤ëºÝ
.RB ( setcap (8),
.BR cap_set_file (3),
.BR cap_set_fd (3))¡¢
¤¤¤º¤ì¤«¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ËÂФ·¤Æ¼Â¸ú¥Õ¥é¥°¤òÍ­¸ú¤È»ØÄꤹ¤ë¾ì¹ç¡¢
µö²Ä¥Õ¥é¥°¤ä·Ñ¾µ²Äǽ¥Õ¥é¥°¤òÍ­¸ú¤Ë¤·¤¿Â¾¤ÎÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£
¤Ë¤Ä¤¤¤Æ¤â¼Â¸ú¥Õ¥é¥°¤òÍ­¸ú¤È»ØÄꤷ¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
.\"
.SS "execve() Ãæ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÊÑ´¹"
.PP
.BR execve (2)
¼Â¹Ô»þ¤Ë¡¢¥«¡¼¥Í¥ë¤Ï¥×¥í¥»¥¹¤Î¿·¤·¤¤¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¼¡¤Î
¥¢¥ë¥´¥ê¥º¥à¤òÍѤ¤¤Æ·×»»¤¹¤ë¡§
.in +4n
.nf

P'(permitted) = (P(inheritable) & F(inheritable)) |
                (F(permitted) & cap_bset)

P'(effective) = F(effective) ? P'(permitted) : 0

P'(inheritable) = P(inheritable)    [¤Ä¤Þ¤ê¡¢Êѹ¹¤µ¤ì¤Ê¤¤]

.fi
.in
³ÆÊÑ¿ô¤Î°ÕÌ£¤Ï°Ê²¼¤ÎÄ̤ê:
.RS 4
.IP P 10
.BR execve (2)
Á°¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÃÍ
.IP P'
.BR execve (2)
¸å¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÃÍ
.IP F
¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÃÍ
.IP cap_bset
¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤ÎÃÍ (²¼µ­»²¾È)
.RE
.\"
.SS ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤È¡¢¥ë¡¼¥È¤Ë¤è¤ë¥×¥í¥°¥é¥à¤Î¼Â¹Ô
.BR execve (2)
»þ¤Ë¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ò»È¤Ã¤Æ¡¢Á´¤Æ¤Î¸¢¸Â¤ò»ý¤Ã¤¿
.I root
¤ò¼Â¸½¤¹¤ë¤Ë¤Ï¡¢°Ê²¼¤Î¤è¤¦¤Ë¤¹¤ë¡£
.IP 1. 3
set-user-ID-root ¥×¥í¥°¥é¥à¤¬¼Â¹Ô¤µ¤ì¤ë¾ì¹ç¡¢
¤Þ¤¿¤Ï¥×¥í¥»¥¹¤Î¼Â¥æ¡¼¥¶ ID ¤¬ 0 (root) ¤Î¾ì¹ç¡¢
¥Õ¥¡¥¤¥ë¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤Èµö²Ä¥»¥Ã¥È¤òÁ´¤Æ 1
(Á´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Í­¸ú) ¤ËÄêµÁ¤¹¤ë¡£
.IP 2.
set-user-ID-root ¥×¥í¥°¥é¥à¤¬¼Â¹Ô¤µ¤ì¤ë¾ì¹ç¡¢
¥Õ¥¡¥¤¥ë¤Î¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ó¥Ã¥È¤ò 1 (enabled) ¤ËÄêµÁ¤¹¤ë¡£
.PP
¾åµ­¤Î¥ë¡¼¥ë¤Ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£ÊÑ´¹¤òŬÍѤ·¤¿·ë²Ì¤ò¤Þ¤È¤á¤ë¤È¡¢
¥×¥í¥»¥¹¤¬ set-user-ID-root ¥×¥í¥°¥é¥à¤ò
.BR execve (2)
¤¹¤ë¾ì¹ç¡¢¤Þ¤¿¤Ï¼Â¸ú UID ¤¬ 0 ¤Î¥×¥í¥»¥¹¤¬¥×¥í¥°¥é¥à¤ò
.BR execve (2)
¤¹¤ë¾ì¹ç¡¢µö²Ä¤È¼Â¸ú¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÁ´¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£
(Àµ³Î¤Ë¤Ï¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ë¤è¤ë¥Þ¥¹¥¯¤Ç½ü³°¤µ¤ì¤ë¤â¤Î
°Ê³°¤ÎÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£) ¤ò¼èÆÀ¤¹¤ë¤È¤¤¤¦¤³¤È¤Ç¤¢¤ë¡£
.\" ¼Â UID ¤¬ 0 ¤Ç¼Â¸ú UID ¤¬ 0 °Ê³°¤Î¥×¥í¥»¥¹¤¬ exec () ¤ò¹Ô¤¦¤È¡¢
.\" µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë´Þ¤Þ¤ì¤ëÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£
.\" ¤¬¼èÆÀ¤µ¤ì¡¢¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¼èÆÀ¤µ¤ì¤Ê¤¤¡£
¤³¤ì¤Ë¤è¤ê¡¢ÅÁÅýŪ¤Ê Unix ¥·¥¹¥Æ¥à¤ÈƱ¤¸¿¶¤ëÉñ¤¤¤¬¤Ç¤­¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤ë¡£
.SS ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È
¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È (capability bounding set) ¤Ï¡¢
.BR execve (2)
»þ¤Ë³ÍÆÀ¤Ç¤­¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÀ©¸Â¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë
¥»¥­¥å¥ê¥Æ¥£µ¡¹½¤Ç¤¢¤ë¡£
¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï°Ê²¼¤Î¤è¤¦¤Ë»ÈÍѤµ¤ì¤ë¡£
.IP * 2
.BR execve (2)
¼Â¹Ô»þ¤Ë¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤È
¥Õ¥¡¥¤¥ë¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÏÀÍýÏ (AND) ¤ò¼è¤Ã¤¿¤â¤Î¤¬¡¢
¤½¤Î¥¹¥ì¥Ã¥É¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë³ä¤êÅö¤Æ¤é¤ì¤ë¡£
¤Ä¤Þ¤ê¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï¡¢
¼Â¹Ô¥Õ¥¡¥¤¥ë¤¬Ç§¤á¤Æ¤¤¤ëµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ËÂФ·¤Æ
À©¸Â¤ò²Ý¤¹Æ¯¤­¤ò¤¹¤ë¡£
.IP *
(Linux 2.6.25 °Ê¹ß)
¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï¡¢¥¹¥ì¥Ã¥É¤¬
.BR capset (2)
¤Ë¤è¤ê¼«¿È¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤ËÄɲòÄǽ¤Ê¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÊ콸ÃĤò
À©¸Â¤¹¤ëÌò³ä¤ò»ý¤Ä¡£
¥¹¥ì¥Ã¥É¤Ëµö²Ä¤µ¤ì¤¿¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ç¤¢¤Ã¤Æ¤â¡¢¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ë
´Þ¤Þ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¡¢¥¹¥ì¥Ã¥É¤Ï¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¼«¿È¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ë
ÄɲäǤ­¤º¡¢¤½¤Î·ë²Ì¡¢·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ë¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò´Þ¤à¥Õ¥¡¥¤¥ë¤ò
.BR execve (2)
¤¹¤ë¾ì¹ç¡¢¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òµö²Ä¥»¥Ã¥È¤Ë»ý¤Á³¤±¤ë¤³¤È¤¬¤Ç¤­¤Ê¤¤¡¢
¤È¤¤¤¦¤³¤È¤Ç¤¢¤ë¡£
.PP
¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤¬¥Þ¥¹¥¯¤ò¹Ô¤¦¤Î¤Ï¡¢·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ç¤Ï¤Ê¤¯¡¢
¥Õ¥¡¥¤¥ë¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¥Þ¥¹¥¯¤ò¹Ô¤¦ÅÀ¤ËÃí°Õ¤¹¤ë¤³¤È¡£
¤¢¤ë¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ë¤½¤Î¥¹¥ì¥Ã¥É¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ë
¸ºß¤·¤Ê¤¤¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬´Þ¤Þ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Ï¡¢
·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ë´Þ¤Þ¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ä¥Õ¥¡¥¤¥ë¤ò¼Â¹Ô¤¹¤ë¤³¤È¤Ë¤è¤ê¡¢
µö²Ä¥»¥Ã¥È¤Ë´Þ¤Þ¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤â³ÍÆÀ¤Ç¤­¤ë¤È¤¤¤¦¤³¤È¤Ç¤¢¤ë¡£
.PP
¥«¡¼¥Í¥ë¤Î¥Ð¡¼¥¸¥ç¥ó¤Ë¤è¤ê¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï
¥·¥¹¥Æ¥à¶¦Ä̤ΰÀ­¤Î¾ì¹ç¤È¡¢¥×¥í¥»¥¹Ã±°Ì¤Î°À­¤Î¾ì¹ç¤¬¤¢¤ë¡£
.PP
.B "Linux 2.6.25 ¤è¤êÁ°¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È"
.PP
2.6.25 ¤è¤êÁ°¤Î¥«¡¼¥Í¥ë¤Ç¤Ï¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï
¥·¥¹¥Æ¥à¶¦Ä̤ΰÀ­¤Ç¡¢¥·¥¹¥Æ¥à¾å¤ÎÁ´¤Æ¤Î¥¹¥ì¥Ã¥É¤ËŬÍѤµ¤ì¤ë¡£
¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï
.I /proc/sys/kernel/cap-bound
¥Õ¥¡¥¤¥ë·Ðͳ¤Ç»²¾È¤Ç¤­¤ë¡£
(´Ö°ã¤¨¤ä¤¹¤¤¤¬¡¢¤³¤Î¥Ó¥Ã¥È¥Þ¥¹¥¯·Á¼°¤Î¥Ñ¥é¥á¡¼¥¿¤Ï¡¢
.I /proc/sys/kernel/cap-bound
¤Ç¤ÏÉä¹æÉÕ¤­¤Î½½¿Ê¿ô¤Çɽ¸½¤µ¤ì¤ë¡£)

.B init
¥×¥í¥»¥¹¤À¤±¤¬¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ç
¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥»¥Ã¥È¤¹¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
¤½¤ì°Ê³°¤Ç¤Ï¡¢¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶ (¤è¤êÀµ³Î¤Ë¤Ï¡¢
.B CAP_SYS_MODULE
¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤¿¥×¥í¥°¥é¥à) ¤¬¡¢
¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¥¯¥ê¥¢¤¬
¤Ç¤­¤ë¤À¤±¤Ç¤¢¤ë¡£

Ä̾ï¤Î¥·¥¹¥Æ¥à¤Ç¤Ï¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï¡¢
.B CAP_SETPCAP
¤¬Ìµ¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¡£
¤³¤ÎÀ©¸Â¤ò¼è¤êµî¤ë¤Ë¤Ï (¼è¤êµî¤ë¤Î¤Ï´í¸±!)¡¢
.I include/linux/capability.h
Æâ¤Î
.B CAP_INIT_EFF_SET
¤ÎÄêµÁ¤ò½¤Àµ¤·¡¢¥«¡¼¥Í¥ë¤òºÆ¹½ÃÛ¤¹¤ëɬÍפ¬¤¢¤ë¡£

¥·¥¹¥Æ¥à¶¦Ä̤Υ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥Èµ¡Ç½¤Ï¡¢
¥«¡¼¥Í¥ë 2.2.11 °Ê¹ß¤Ç Linux ¤ËÄɲ䵤줿¡£
.\"
.PP
.B "Linux 2.6.25 °Ê¹ß¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È"
.PP
Linux 2.6.25 °Ê¹ß¤Ç¤Ï¡¢
¡Ö¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¡×¤Ï¥¹¥ì¥Ã¥Éñ°Ì¤Î°À­¤Ç¤¢¤ë
(¥·¥¹¥Æ¥à¶¦Ä̤Υ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï¤â¤Ï¤ä¸ºß¤·¤Ê¤¤)¡£

¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï
.BR fork (2)
»þ¤Ë¤Ï¥¹¥ì¥Ã¥É¤Î¿Æ¥×¥í¥»¥¹¤«¤é·Ñ¾µ¤µ¤ì¡¢
.BR execve (2)
¤ÎÁ°¸å¤Ç¤ÏÊÝ»ý¤µ¤ì¤ë¡£

¥¹¥ì¥Ã¥É¤¬
.B CAP_SETPCAP
¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Ï
.BR prctl (2)
¤Î
.BR PR_CAPBSET_DROP
Áàºî¤ò»È¤Ã¤Æ¼«¿È¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é
¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òºï½ü¤¹¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
¤¤¤Ã¤¿¤ó¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤éºï½ü¤·¤Æ¤·¤Þ¤¦¤È¡¢
¥¹¥ì¥Ã¥É¤Ï¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òºÆÅÙ¥»¥Ã¥È¤¹¤ë¤³¤È¤Ï¤Ç¤­¤Ê¤¤¡£
.BR prctl (2)
¤Î
.B PR_CAPBSET_READ
Áàºî¤ò»È¤¦¤³¤È¤Ç¡¢¥¹¥ì¥Ã¥É¤¬¤¢¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¼«¿È¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È
¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¤«¤òÃΤ뤳¤È¤¬¤Ç¤­¤ë¡£

¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Îºï½ü¤¬¥µ¥Ý¡¼¥È¤µ¤ì¤ë¤Î¤Ï¡¢
¥«¡¼¥Í¥ë¤Î¥³¥ó¥Ñ¥¤¥ë»þ¤Ë¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Í­¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¾ì¹ç
(CONFIG_SECURITY_FILE_CAPABILITIES) ¤À¤±¤Ç¤¢¤ë¡£
¤³¤Î¾ì¹ç¤Ë¤Ï¡¢ (Á´¤Æ¤Î¥×¥í¥»¥¹¤ÎÀèÁĤǤ¢¤ë) 
.I init
¥×¥í¥»¥¹¤Ï¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤ÇÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬
¥»¥Ã¥È¤µ¤ì¤¿¾õÂ֤dz«»Ï¤¹¤ë¡£
¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Í­¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ë¤Ï¡¢
.I init
¤Ï¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ç
.B CAP_SETPCAP
°Ê³°¤ÎÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥»¥Ã¥È¤µ¤ì¤¿¾õÂ֤dz«»Ï¤¹¤ë¡£
¤³¤Î¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤Î¤Ï¡¢
.B CAP_SETPCAP
¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ë¤Ï
°ã¤Ã¤¿°ÕÌ£¤ò»ý¤Ä¤«¤é¤Ç¤¢¤ë¡£

¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òºï½ü¤·¤Æ¤â¡¢
¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤«¤é¤Ï¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ïºï½ü¤µ¤ì¤Ê¤¤¡£
¤·¤«¤·¤Ê¤¬¤é¡¢¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¤Îºï½ü¤Ë¤è¤ê¡¢
¤³¤ÎÀ褽¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤ËÄɲ乤뤳¤È
¤Ï¤Ç¤­¤Ê¤¯¤Ê¤ë¡£
.\"
.\"
.SS "¥æ¡¼¥¶ ID Êѹ¹¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ø¤Î±Æ¶Á"
¥æ¡¼¥¶ ID ¤¬ 0 ¤È 0 °Ê³°¤Î´Ö¤ÇÊѲ½¤¹¤ëºÝ¤Î¿¶¤ëÉñ¤¤¤ò½¾Íè¤ÈƱ¤¸¤Ë¤¹¤ë¤¿¤á¡¢
¥¹¥ì¥Ã¥É¤Î¼Â UID¡¢¼Â¸ú UID¡¢Êݸ set-user-ID¡¢¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬
.RB ( setuid (2),
.BR setresuid (2)
¤Ê¤É¤ò»È¤Ã¤Æ) Êѹ¹¤µ¤ì¤¿ºÝ¤Ë¡¢¥«¡¼¥Í¥ë¤Ï¤½¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë
°Ê²¼¤ÎÊѹ¹¤ò¹Ô¤¦:
.IP 1. 3
UID ¤ÎÊѹ¹Á°¤Ë¤Ï¼Â UID¡¢¼Â¸ú UID¡¢Êݸ set-user-ID ¤Î¤¦¤Á
¾¯¤Ê¤¯¤È¤â°ì¤Ä¤¬ 0 ¤Ç¡¢Êѹ¹¸å¤Ë¼Â UID¡¢¼Â¸ú UID¡¢Êݸ set-user-ID ¤¬
¤¹¤Ù¤Æ 0 °Ê³°¤ÎÃͤˤʤ俾ì¹ç¡¢µö²Ä¤È¼Â¸ú¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î
Á´¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥¯¥ê¥¢¤¹¤ë¡£
.IP 2.
¼Â¸ú UID ¤¬ 0 ¤«¤é 0 °Ê³°¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç¡¢
¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÁ´¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥¯¥ê¥¢¤¹¤ë¡£
.IP 3.
¼Â¸ú UID ¤¬ 0 °Ê³°¤«¤é 0 ¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç¡¢
µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÆâÍƤò¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë¥³¥Ô¡¼¤¹¤ë¡£
.IP 4.
¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬ 0 ¤«¤é 0 °Ê³°¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç
.RB ( setfsuid (2)
»²¾È)¡¢¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î°Ê²¼¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥¯¥ê¥¢¤µ¤ì¤ë:
.BR CAP_CHOWN ,
.BR CAP_DAC_OVERRIDE ,
.BR CAP_DAC_READ_SEARCH ,
.BR CAP_FOWNER ,
.BR CAP_FSETID ,
.B CAP_LINUX_IMMUTABLE
(Linux 2.2.30 °Ê¹ß),
.BR CAP_MAC_OVERRIDE ,
.B CAP_MKNOD
(Linux 2.2.30 °Ê¹ß)¡£
¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬ 0 °Ê³°¤«¤é 0 ¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç¡¢
¾åµ­¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¤¦¤Áµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÇÍ­¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤â¤Î¤¬
¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÇÍ­¸ú¤Ë¤µ¤ì¤ë¡£
.PP
³Æ¼ï UID ¤Î¤¦¤Á¾¯¤Ê¤¯¤È¤â°ì¤Ä¤¬ 0 ¤Ç¤¢¤ë¥¹¥ì¥Ã¥É¤¬¡¢
¤½¤Î UID ¤ÎÁ´¤Æ¤¬ 0 °Ê³°¤Ë¤Ê¤Ã¤¿¤È¤­¤Ëµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬
¥¯¥ê¥¢¤µ¤ì¤Ê¤¤¤è¤¦¤Ë¤·¤¿¤¤¾ì¹ç¤Ë¤Ï¡¢
.BR prctl (2)
¤Î
.B PR_SET_KEEPCAPS
Áàºî¤ò»È¤¨¤Ð¤è¤¤¡£
.\"
.SS ¥×¥í¥°¥é¥à¤Ç¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤òÄ´À°¤¹¤ë
³Æ¥¹¥ì¥Ã¥É¤Ï¡¢
.BR capget (2)
¤ä
.BR capset (2)
¤ò»È¤Ã¤Æ¡¢¼«¿È¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ò¼èÆÀ¤·¤¿¤êÊѹ¹¤·¤¿¤ê¤Ç¤­¤ë¡£
¤¿¤À¤·¡¢¤³¤ì¤ò¹Ô¤¦¤Ë¤Ï¡¢
.I libcap
¥Ñ¥Ã¥±¡¼¥¸¤ÇÄ󶡤µ¤ì¤Æ¤¤¤ë
.BR cap_get_proc (3)
¤ä
.BR cap_set_proc (3)
¤ò»È¤¦¤Î¤¬Ë¾¤Þ¤·¤¤¡£
¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÊѹ¹¤Ë¤Ï°Ê²¼¤Î¥ë¡¼¥ë¤¬Å¬ÍѤµ¤ì¤ë¡£
.IP 1. 3
¸Æ¤Ó½Ð¤·Â¦¤¬
.B CAP_SETPCAP
¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢¿·¤·¤¤·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ï¡¢
´û¸¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤Èµö²Ä¥»¥Ã¥È¤ÎÀѽ¸¹ç (AND) ¤ÎÉôʬ½¸¹ç¤Ç
¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
.IP 2.
(¥«¡¼¥Í¥ë 2.6.25 °Ê¹ß)
¿·¤·¤¤·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ï¡¢´û¸¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤È¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦
¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤ÎÀѽ¸¹ç (AND) ¤ÎÉôʬ½¸¹ç¤Ç¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
.IP 3.
¿·¤·¤¤µö²Ä¥»¥Ã¥È¤Ï¡¢´û¸¤Îµö²Ä¥»¥Ã¥È¤ÎÉôʬ½¸¹ç¤Ç¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤
(¤Ä¤Þ¤ê¡¢¤½¤Î¥¹¥ì¥Ã¥É¤¬¸½ºß»ý¤Ã¤Æ¤¤¤Ê¤¤µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò
³ÍÆÀ¤¹¤ë¤³¤È¤Ï¤Ç¤­¤Ê¤¤)¡£
.IP 4.
¿·¤·¤¤¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ï¿·¤·¤¤µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î
Éôʬ½¸¹ç¤Ë¤Ê¤Ã¤Æ¤¤¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
.SS securebits ¥Õ¥é¥°: ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤À¤±¤Î´Ä¶­¤ò¹½ÃÛ¤¹¤ë
.\" For some background:
.\"       see http://lwn.net/Articles/280279/ and
.\"       http://article.gmane.org/gmane.linux.kernel.lsm/5476/
¥«¡¼¥Í¥ë 2.6.26 °Ê¹ß¤Ç¡¢
¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Í­¸ú¤Ë¤Ê¤Ã¤¿¥«¡¼¥Í¥ë¤Ç¤Ï¡¢
¥¹¥ì¥Ã¥Éñ°Ì¤Î
.I securebits
¥Õ¥é¥°¤¬¼ÂÁõ¤µ¤ì¤Æ¤ª¤ê¡¢¤³¤Î¥Õ¥é¥°¤ò»È¤¦¤È UID 0
.RI ( root )
¤ËÂФ¹¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÆÃÊÌ°·¤¤¤ò̵¸ú¤¹¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
°Ê²¼¤Î¤è¤¦¤Ê¥Õ¥é¥°¤¬¤¢¤ë¡£
.TP
.B SECBIT_KEEP_CAPS
¤³¤Î¥Õ¥é¥°¤ò¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢UID ¤¬ 0 ¤Î¥¹¥ì¥Ã¥É¤Î UID ¤¬ 0 °Ê³°¤ÎÃͤË
ÀÚ¤êÂؤï¤ëºÝ¤Ë¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Ï¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò°Ý»ý¤¹¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
¤³¤Î¥Õ¥é¥°¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ë¤Ï¡¢UID ¤¬ 0 ¤«¤é 0 °Ê³°¤ÎÃͤË
ÀÚ¤êÂؤï¤ë¤È¡¢¤½¤Î¥¹¥ì¥Ã¥É¤ÏÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¼º¤¦¡£
¤³¤Î¥Õ¥é¥°¤Ï
.BR execve (2)
»þ¤Ë¤ÏÁ´¤Æ¥¯¥ê¥¢¤µ¤ì¤ë
(¤³¤Î¥Õ¥é¥°¤Ï¡¢°ÊÁ°¤Î
.BR prctl (2)
¤Î
.B PR_SET_KEEPCAPS
Áàºî¤ÈƱ¤¸µ¡Ç½¤òÄ󶡤¹¤ë¤â¤Î¤Ç¤¢¤ë)¡£
.TP
.B SECBIT_NO_SETUID_FIXUP
¤³¤Î¥Õ¥é¥°¤ò¥»¥Ã¥È¤¹¤ë¤È¡¢¥¹¥ì¥Ã¥É¤Î¼Â¸ú UID ¤È¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬
0 ¤È 0 °Ê³°¤Î´Ö¤ÇÀÚ¤êÂؤï¤Ã¤¿¾ì¹ç¤Ë¡¢
¥«¡¼¥Í¥ë¤Ï¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÄ´À°¤ò¹Ô¤ï¤Ê¤¯¤Ê¤ë
(¡Ö¥æ¡¼¥¶ ID Êѹ¹¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ø¤Î±Æ¶Á¡×¤ÎÀá¤ò»²¾È)¡£
.TP
.B SECBIT_NOROOT
¤³¤Î¥Ó¥Ã¥È¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢
set-user-ID-root ¥×¥í¥°¥é¥à¤Î¼Â¹Ô»þ¤ä¡¢
¼Â¸ú UID ¤« ¼Â UID ¤¬ 0 ¤Î¥×¥í¥»¥¹¤¬
.BR execve (2)
¤ò¸Æ¤Ó½Ð¤·¤¿»þ¤Ë¡¢¥«¡¼¥Í¥ë¤Ï¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òµö²Ä¤·¤Ê¤¤
(¡Ö¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤È¡¢¥ë¡¼¥È¤Ë¤è¤ë¥×¥í¥°¥é¥à¤Î¼Â¹Ô¡×¤ÎÀá¤ò»²¾È)¡£
.PP
¾åµ­¤Î "base" ¥Õ¥é¥°¤Î³Æ¡¹¤Ë¤ÏÂбþ¤¹¤ë "locked" ¥Õ¥é¥°¤¬Â¸ºß¤¹¤ë¡£
¤¤¤º¤ì¤Î "locked" ¥Õ¥é¥°¤â°ìÅÙ¥»¥Ã¥È¤µ¤ì¤ë¤ÈÌ᤹¤³¤È¤Ï¤Ç¤­¤º¡¢
¤½¤ì°Ê¹ß¤ÏÂбþ¤¹¤ë "base" ¥Õ¥é¥°¤òÊѹ¹¤¹¤ë¤³¤È¤¬¤Ç¤­¤Ê¤¯¤Ê¤ë¡£
"locked" ¥Õ¥é¥°¤Ï
.BR SECBIT_KEEP_CAPS_LOCKED ,
.BR SECBIT_NO_SETUID_FIXUP_LOCKED ,
.BR SECBIT_NOROOT_LOCKED
¤È¤¤¤¦Ì¾Á°¤Ç¤¢¤ë¡£
.PP
.I securebits
¥Õ¥é¥°¤Ï¡¢
.BR prctl (2)
¤ÎÁàºî
.B PR_SET_SECUREBITS
¤ä
.B PR_GET_SECUREBITS
¤ò»È¤¦¤³¤È¤ÇÊѹ¹¤·¤¿¤ê¼èÆÀ¤·¤¿¤ê¤Ç¤­¤ë¡£
¥Õ¥é¥°¤òÊѹ¹¤¹¤ë¤Ë¤Ï
.B CAP_SETPCAP
¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬É¬ÍפǤ¢¤ë¡£

.I securebits
¥Õ¥é¥°¤Ï»Ò¥×¥í¥»¥¹¤Ë·Ñ¾µ¤µ¤ì¤ë¡£
.BR execve (2)
¤Ë¤ª¤¤¤Æ¤Ï¡¢
.B SECURE_KEEP_CAPS
¤¬¾ï¤Ë¥¯¥ê¥¢¤µ¤ì¤ë°Ê³°¤Ï¡¢Á´¤Æ¤Î¥Õ¥é¥°¤¬ÊÝ»ý¤µ¤ì¤ë¡£

¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤Ï¡¢°Ê²¼¤Î¸Æ¤Ó½Ð¤·¤ò¹Ô¤¦¤³¤È¤Ë¤è¤ê¡¢
¼«Ê¬¼«¿È¤ª¤è¤Ó»Ò¹¤È¤Ê¤ë¥×¥í¥»¥¹Á´¤Æ¤ËÂФ·¤Æ¡¢
ɬÍפʥե¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤¿¥×¥í¥°¥é¥à¤ò¼Â¹Ô¤·¤Ê¤¤¸Â¤ê¡¢
Âбþ¤¹¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò³ÍÆÀ¤Ç¤­¤Ê¤¤¤è¤¦¤Ê¾õ¶·¤ËÊĤ¸¤³¤á¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
.in +4n
.nf

prctl(PR_SET_SECUREBITS,
        SECBIT_KEEP_CAPS_LOCKED |
        SECBIT_NO_SETUID_FIXUP |
        SECBIT_NO_SETUID_FIXUP_LOCKED |
        SECBIT_NOROOT |
        SECBIT_NOROOT_LOCKED);
.fi
.in
.SH ½àµò
.PP
¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ë´Ø¤¹¤ëɸ½à¤Ï¤Ê¤¤¤¬¡¢ Linux ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÏÇѰƤˤʤä¿
POSIX.1e Áð°Æ¤Ë´ð¤Å¤¤¤Æ¼ÂÁõ¤µ¤ì¤Æ¤¤¤ë¡£
.I http://wt.xpilot.org/publications/posix.1e/
¤ò»²¾È¡£
.SH Ãí°Õ
¥«¡¼¥Í¥ë 2.5.27 °Ê¹ß¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÏÁªÂò¼°¤Î¥«¡¼¥Í¥ë¥³¥ó¥Ý¡¼¥Í¥ó¥È
¤È¤Ê¤Ã¤Æ¤ª¤ê¡¢¥«¡¼¥Í¥ëÀßÄꥪ¥×¥·¥ç¥ó CONFIG_SECURITY_CAPABILITIES
¤Ë¤è¤êÍ­¸ú/̵¸ú¤òÀÚ¤êÂؤ¨¤ë¤³¤È¤¬¤Ç¤­¤ë¡£

.I /proc/PID/task/TID/status
¥Õ¥¡¥¤¥ë¤ò»È¤¦¤È¡¢¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ò¸«¤ë¤³¤È¤¬¤Ç¤­¤ë¡£
.I /proc/PID/status
¥Õ¥¡¥¤¥ë¤Ë¤Ï¡¢¥×¥í¥»¥¹¤Î¥á¥¤¥ó¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬É½¼¨¤µ¤ì¤ë¡£

.I libcap
¥Ñ¥Ã¥±¡¼¥¸¤Ï¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÀßÄꡦ¼èÆÀ¤¹¤ë¤¿¤á¤Î
¥ë¡¼¥Á¥ó·²¤òÄ󶡤·¤Æ¤¤¤ë¡£¤³¤ì¤é¤Î¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤Ï¡¢
.BR capset (2)
¤È
.BR capget (2)
¤¬Ä󶡤¹¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ÈÈæ¤Ù¤Æ¡¢¤è¤ê»È¤¤¤ä¤¹¤¯¡¢Êѹ¹¤µ¤ì¤ë²ÄǽÀ­¤¬¾¯¤Ê¤¤¡£
¤³¤Î¥Ñ¥Ã¥±¡¼¥¸¤Ç¤Ï¡¢
.BR setcap (8),
.BR getcap (8)
¤È¤¤¤¦¥×¥í¥°¥é¥à¤âÄ󶡤µ¤ì¤Æ¤¤¤ë¡£
¥Ñ¥Ã¥±¡¼¥¸¤Ï
.I http://www.kernel.org/pub/linux/libs/security/linux-privs
¤ÇÆþ¼ê¤Ç¤­¤ë¡£

¥Ð¡¼¥¸¥ç¥ó 2.6.24 ¤è¤êÁ°¡¢¤ª¤è¤Ó¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬
Í­¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤Ê¤¤2.6.24 °Ê¹ß¤Î¥«¡¼¥Í¥ë¤Ç¤Ï¡¢
.B CAP_SETPCAP
¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤¿¥¹¥ì¥Ã¥É¤Ï¼«Ê¬°Ê³°¤Î¥¹¥ì¥Ã¥É¤Î
¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÁàºî¤Ç¤­¤ë¡£
¤·¤«¤·¤Ê¤¬¤é¡¢¤³¤ì¤ÏÍýÏÀŪ¤Ë²Äǽ¤È¤¤¤¦¤À¤±¤Ç¤¢¤ë¡£
°Ê²¼¤Î¤¤¤º¤ì¤«¤Î¾ì¹ç¤Ë¤ª¤¤¤Æ¤â¡¢¤É¤Î¥¹¥ì¥Ã¥É¤â
.BR CAP_SETPCAP
¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ä¤³¤È¤Ï¤Ê¤¤¤«¤é¤Ç¤¢¤ë¡£
.IP * 2
2.6.25 ¤è¤êÁ°¤Î¼ÂÁõ¤Ç¤Ï¡¢¥·¥¹¥Æ¥à¶¦Ä̤Υ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È
.I /proc/sys/kernel/cap-bound
¤Ç¤Ï¤³¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¾ï¤Ë̵¸ú¤Ë¤Ê¤Ã¤Æ¤ª¤ê¡¢
¥½¡¼¥¹¤òÊѹ¹¤·¤Æ¥«¡¼¥Í¥ë¤òºÆ¥³¥ó¥Ñ¥¤¥ë¤·¤Ê¤¤¸Â¤ê¡¢
¤³¤ì¤òÊѹ¹¤¹¤ë¤³¤È¤Ï¤Ç¤­¤Ê¤¤¡£
.IP *
¸½ºß¤Î¼ÂÁõ¤Ç¤Ï¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Ìµ¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
¥×¥í¥»¥¹Ëè¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¤³¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÈ´¤¤¤Æ
.B init
¤Ï³«»Ï¤µ¤ì¡¢
¥·¥¹¥Æ¥à¾å¤ÇÀ¸À®¤µ¤ì¤ë¾¤ÎÁ´¤Æ¤Î¥×¥í¥»¥¹¤Ç¤³¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤¬
·Ñ¾µ¤µ¤ì¤ë¡£
.SH ´ØÏ¢¹àÌÜ
.BR capget (2),
.BR prctl (2),
.BR setfsuid (2),
.BR cap_clear (3),
.BR cap_copy_ext (3),
.BR cap_from_text (3),
.BR cap_get_file (3),
.BR cap_get_proc (3),
.BR cap_init (3),
.BR capgetp (3),
.BR capsetp (3),
.BR credentials (7),
.BR pthreads (7),
.BR getcap (8),
.BR setcap (8)
.PP
¥«¡¼¥Í¥ë¥½¡¼¥¹Æâ¤Î
.I include/linux/capability.h