1 .\" Copyright (c) 2002 by Michael Kerrisk <mtk.manpages@gmail.com>
3 .\" Permission is granted to make and distribute verbatim copies of this
4 .\" manual provided the copyright notice and this permission notice are
5 .\" preserved on all copies.
7 .\" Permission is granted to copy and distribute modified versions of this
8 .\" manual under the conditions for verbatim copying, provided that the
9 .\" entire resulting derived work is distributed under the terms of a
10 .\" permission notice identical to this one.
12 .\" Since the Linux kernel and libraries are constantly changing, this
13 .\" manual page may be incorrect or out-of-date. The author(s) assume no
14 .\" responsibility for errors or omissions, or for damages resulting from
15 .\" the use of the information contained herein. The author(s) may not
16 .\" have taken the same level of care in the production of this manual,
17 .\" which is licensed free of charge, as they might when working
20 .\" Formatted or processed versions of this manual, if unaccompanied by
21 .\" the source, must acknowledge the copyright and authors of this work.
23 .\" 6 Aug 2002 - Initial Creation
24 .\" Modified 2003-05-23, Michael Kerrisk, <mtk.manpages@gmail.com>
25 .\" Modified 2004-05-27, Michael Kerrisk, <mtk.manpages@gmail.com>
26 .\" 2004-12-08, mtk Added O_NOATIME for CAP_FOWNER
27 .\" 2005-08-16, mtk, Added CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE
28 .\" 2008-07-15, Serge Hallyn <serue@us.bbm.com>
29 .\" Document file capabilities, per-process capability
30 .\" bounding set, changed semantics for CAP_SETPCAP,
31 .\" and other changes in 2.6.2[45].
32 .\" Add CAP_MAC_ADMIN, CAP_MAC_OVERRIDE, CAP_SETFCAP.
34 .\" Add text describing circumstances in which CAP_SETPCAP
35 .\" (theoretically) permits a thread to change the
36 .\" capability sets of another thread.
37 .\" Add section describing rules for programmatically
38 .\" adjusting thread capability sets.
39 .\" Describe rationale for capability bounding set.
40 .\" Document "securebits" flags.
41 .\" Add text noting that if we set the effective flag for one file
42 .\" capability, then we must also set the effective flag for all
43 .\" other capabilities where the permitted or inheritable bit is set.
45 .\" Japanese Version Copyright (c) 2005 Akihiro MOTOKI all rights reserved.
46 .\" Translated 2005-03-09, Akihiro MOTOKI <amotoki@dd.iij4u.or.jp>
47 .\" Updated 2005-11-04, Akihiro MOTOKI
48 .\" Updated 2006-04-16, Akihiro MOTOKI, LDP v2.29
49 .\" Updated 2006-07-20, Akihiro MOTOKI, LDP v2.34
50 .\" Updated 2007-01-05, Akihiro MOTOKI, LDP v2.43
51 .\" Updated 2008-12-24, Akihiro MOTOKI, LDP v3.15
52 .\" Updated 2009-02-27, Akihiro MOTOKI, LDP v3.19
53 .\" Updated 2010-04-11, Akihiro MOTOKI, LDP v3.24
55 .TH CAPABILITIES 7 2010-01-31 "Linux" "Linux Programmer's Manual"
57 capabilities \- Linux ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£ (capability) ¤Î³µÍ×
59 ¸¢¸Â¤Î¥Á¥§¥Ã¥¯¤ò¹Ô¤¦´ÑÅÀ¤«¤é¸«¤ë¤È¡¢ÅÁÅýŪ¤Ê Unix ¤Î¼ÂÁõ¤Ç¤Ï
60 ¥×¥í¥»¥¹¤ÏÆó¤Ä¤Î¥«¥Æ¥´¥ê¤ËʬÎà¤Ç¤¤ë:
62 ¥×¥í¥»¥¹ (¼Â¸ú¥æ¡¼¥¶ID ¤¬ 0 ¤Î¥×¥í¥»¥¹¡£¥æ¡¼¥¶ID 0 ¤Ï
63 ¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶¤ä root ¤È¸Æ¤Ð¤ì¤ë) ¤È
65 ¥×¥í¥»¥¹ (¼Â¸ú¥æ¡¼¥¶ID ¤¬ 0 °Ê³°¤Î¥×¥í¥»¥¹) ¤Ç¤¢¤ë¡£
66 ÈóÆø¢¥×¥í¥»¥¹¤Ç¤Ï¡¢¥×¥í¥»¥¹¤Î»ñ³Ê¾ðÊó (Ä̾ï¤Ï¡¢¼Â¸úUID ¡¢¼Â¸úGID
67 ¤ÈÄɲäΥ°¥ë¡¼¥×¥ê¥¹¥È) ¤Ë´ð¤Å¤¯¸¢¸Â¥Á¥§¥Ã¥¯¤¬¹Ô¤ï¤ì¤ë¤Î¤ËÂФ·¡¢
68 Æø¢¥×¥í¥»¥¹¤Ç¤ÏÁ´¤Æ¤Î¥«¡¼¥Í¥ë¤Î¸¢¸Â¥Á¥§¥Ã¥¯¤¬¥Ð¥¤¥Ñ¥¹¤µ¤ì¤ë¡£
70 ¥Ð¡¼¥¸¥ç¥ó 2.2 °Ê¹ß¤Î Linux ¤Ç¤Ï¡¢
71 ¤³¤ì¤Þ¤Ç¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶¤Ë·ë¤ÓÉÕ¤±¤é¤ì¤Æ¤¤¿¸¢¸Â¤ò¡¢
72 ¤¤¤¯¤Ä¤«¤Î¥°¥ë¡¼¥×¤Ëʬ³ä¤·¤Æ¤¤¤ë¡£¤³¤ì¤é¤Î¥°¥ë¡¼¥×¤Ï
73 .IR ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£ (capability)
74 ¤È¸Æ¤Ð¤ì¡¢¥°¥ë¡¼¥×Ëè¤ËÆÈΩ¤Ë͸ú¡¢Ìµ¸ú¤òÀßÄê¤Ç¤¤ë¡£
75 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¥¹¥ì¥Ã¥Éñ°Ì¤Î°À¤Ç¤¢¤ë¡£
77 .SS ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¥ê¥¹¥È
79 Linux ¤Ç¼ÂÁõ¤µ¤ì¤Æ¤¤¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤È
80 ³Æ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬µö²Ä¤¹¤ëÁàºî¤ÈÆ°ºî¤ò¤Þ¤È¤á¤¿¤â¤Î¤Ç¤¢¤ë¡£
82 .BR CAP_AUDIT_CONTROL " (Linux 2.6.11 °Ê¹ß)"
83 ¥«¡¼¥Í¥ë´Æºº (audit) ¤Î͸ú̵¸ú¤ÎÀÚ¤êÂؤ¨¡¢
84 ´Æºº¤Î¥Õ¥£¥ë¥¿¡¦¥ë¡¼¥ë¤ÎÊѹ¹¡¢
85 ´Æºº¤Î¾õ¶·¤ä¥Õ¥£¥ë¥¿¡¦¥ë¡¼¥ë¤Î¼èÆÀ¤¬¤Ç¤¤ë¡£
87 .BR CAP_AUDIT_WRITE " (Linux 2.6.11 °Ê¹ß)"
88 ¥«¡¼¥Í¥ë´Æºº¤Î¥í¥°¤Ë¥ì¥³¡¼¥É¤ò½ñ¤¹þ¤à¡£
91 ¥Õ¥¡¥¤¥ë¤Î UID ¤ÈGID ¤òǤ°Õ¤ËÊѹ¹¤¹¤ë
96 ¥Õ¥¡¥¤¥ë¤ÎÆɤ߽Ф·¡¢½ñ¤¹þ¤ß¡¢¼Â¹Ô¤Î¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë
97 (DAC ¤Ï "discretionary access control (Ǥ°Õ¤Î¥¢¥¯¥»¥¹À©¸æ)" ¤Îά¤Ç¤¢¤ë)¡£
99 .B CAP_DAC_READ_SEARCH
100 ¥Õ¥¡¥¤¥ë¤ÎÆɤ߽Ф·¸¢¸Â¤Î¥Á¥§¥Ã¥¯¤È¥Ç¥£¥ì¥¯¥È¥ê¤ÎÆɤ߽Ф·¤È¼Â¹Ô
101 ¤Î¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë¡£
107 Ä̾¥×¥í¥»¥¹¤Î¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬¥Õ¥¡¥¤¥ë¤Î UID ¤Ë°ìÃפ¹¤ë¤³¤È¤¬
108 Í׵ᤵ¤ì¤ëÁàºî (Î㤨¤Ð
111 ¤Ë¤ª¤±¤ë¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë¡£
115 .B CAP_DAC_READ_SEARCH
116 ¤Ë¤è¤ê¥Á¥§¥Ã¥¯¤¬¹Ô¤ï¤ì¤ëÁàºî¤Ï½ü¤¯¡£
118 Ǥ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ³ÈÄ¥¥Õ¥¡¥¤¥ë°À¤òÀßÄꤹ¤ë
122 Ǥ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ¥¢¥¯¥»¥¹À©¸æ¥ê¥¹¥È (ACL) ¤òÀßÄꤹ¤ë¡£
124 ¥Õ¥¡¥¤¥ë¤Îºï½ü¤ÎºÝ¤Ë¥Ç¥£¥ì¥¯¥È¥ê¤Î¥¹¥Æ¥£¥Ã¥¡¼¥Ó¥Ã¥È¤ò̵»ë¤¹¤ë¡£
129 ¤ÇǤ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ
136 ¥Õ¥¡¥¤¥ë¤¬Êѹ¹¤µ¤ì¤¿¤È¤¤Ë set-user-ID ¤Èset-group-ID ¤Îµö²Ä¥Ó¥Ã¥È¤ò¥¯¥ê¥¢
137 ¤·¤Ê¤¤¡£¸Æ¤Ó½Ð¤·¸µ¥×¥í¥»¥¹¤Î¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à GID ¤ÈÄɲäΠGID ¤Î¤¤¤º¤ì¤È¤â
138 GID ¤¬°ìÃפ·¤Ê¤¤¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ set-group-ID ¥Ó¥Ã¥È¤òÀßÄꤹ¤ë¡£
149 System V IPC ¥ª¥Ö¥¸¥§¥¯¥È¤ËÂФ¹¤ëÁàºî¤Ë´Ø¤·¤Æ¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë¡£
152 ¥·¥°¥Ê¥ë¤òÁ÷¿®¤¹¤ëºÝ¤Ë¸¢¸Â¥Á¥§¥Ã¥¯¤ò¥Ð¥¤¥Ñ¥¹¤¹¤ë
158 Áàºî¤Î»ÈÍѤâ´Þ¤Þ¤ì¤ë¡£
159 .\" FIXME CAP_KILL also has an effect for threads + setting child
160 .\" termination signal to other than SIGCHLD: without this
161 .\" capability, the termination signal reverts to SIGCHLD
162 .\" if the child does an exec(). What is the rationale
165 .BR CAP_LEASE " (Linux 2.4 °Ê¹ß)"
166 Ǥ°Õ¤Î¥Õ¥¡¥¤¥ë¤ËÂФ·¤Æ
167 ¥Õ¥¡¥¤¥ë¥ê¡¼¥¹¤òÀßÄꤹ¤ë
171 .B CAP_LINUX_IMMUTABLE
179 .\" ¤³¤ì¤é¤Î°À¤Ï ext2, ext3, Reiserfs, XFS, JFS ¤ÇÍøÍѲÄǽ¤Ç¤¢¤ë¡£
181 .BR CAP_MAC_ADMIN " (Linux 2.6.25 °Ê¹ß)"
182 ¶¯À©¥¢¥¯¥»¥¹À©¸æ (MAC) ¤ò¾å½ñ¤¤¹¤ë¡£
183 Smack Linux Security Module (LSM) ÍѤ˼ÂÁõ¤µ¤ì¤Æ¤¤¤ë¡£
185 .BR CAP_MAC_OVERRIDE " (Linux 2.6.25 °Ê¹ß)"
186 MAC ¤ÎÀßÄê¤ä¾õÂÖ¤òÊѹ¹¤¹¤ë¡£
187 Smack LSM ÍѤ˼ÂÁõ¤µ¤ì¤Æ¤¤¤ë¡£
189 .BR CAP_MKNOD " (Linux 2.4 °Ê¹ß)"
192 ¤ò»ÈÍѤ·¤Æ¥¹¥Ú¥·¥ã¥ë¡¦¥Õ¥¡¥¤¥ë¤òºîÀ®¤¹¤ë¡£
195 ³Æ¼ï¤Î¥Í¥Ã¥È¥ï¡¼¥¯´ØÏ¢¤ÎÁàºî¤ò¼Â¹Ô¤¹¤ë¡£
196 (Î㤨¤Ð¡¢Æø¢¤¬É¬Íפʥ½¥±¥Ã¥È¥ª¥×¥·¥ç¥ó¤òÀßÄꤹ¤ë¡¢¥Þ¥ë¥Á¥¥ã¥¹¥È¤ò͸ú¤Ë¤¹¤ë¡¢
197 ¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤òÀßÄꤹ¤ë¡¢¥ë¡¼¥Æ¥£¥ó¥°¥Æ¡¼¥Ö¥ë¤òÊѹ¹¤¹¤ë¤Ê¤É)
199 .B CAP_NET_BIND_SERVICE
200 ¥¤¥ó¥¿¡¼¥Í¥Ã¥È¥É¥á¥¤¥ó¤ÎÆø¢¥Ý¡¼¥È (¥Ý¡¼¥ÈÈֹ椬 1024 ÈÖ̤Ëþ)
204 (̤»ÈÍÑ) ¥½¥±¥Ã¥È¤Î¥Ö¥í¡¼¥É¥¥ã¥¹¥È¤È¡¢¥Þ¥ë¥Á¥¥ã¥¹¥È¤ÎÂÔ¤Á¼õ¤±¤ò¹Ô¤¦¡£
207 RAW ¥½¥±¥Ã¥È¤È PACKET ¥½¥±¥Ã¥È¤ò»ÈÍѤ¹¤ë¡£
208 .\" ¤Þ¤¿¡¢³Æ¼ï¤Î IP ¥ª¥×¥·¥ç¥ó¤È SO_BINDTODEVICE ¥½¥±¥Ã¥È¥ª¥×¥·¥ç¥ó¤ò»ÈÍѤǤ¤ë¡£
211 ¥×¥í¥»¥¹¤Î GID ¤ÈÄɲäΠGID ¥ê¥¹¥È¤ËÂФ¹¤ëǤ°Õ¤ÎÁàºî¤ò¹Ô¤¦¡£
212 Unix ¥É¥á¥¤¥ó¥½¥±¥Ã¥È·Ðͳ¤Ç¥½¥±¥Ã¥È¤Î»ñ³Ê¾ðÊó (credential) ¤òÅϤ¹ºÝ¤Ë
213 µ¶¤Î GID ¤òÅϤ¹¤³¤È¤¬¤Ç¤¤ë¡£
215 .BR CAP_SETFCAP " (Linux 2.6.24 °Ê¹ß)"
216 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÀßÄꤹ¤ë¡£
219 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç:
220 ¸Æ¤Ó½Ð¤·¸µ¤¬µö²Ä¤µ¤ì¤Æ¤¤¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë´Þ¤Þ¤ì¤ëǤ°Õ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¡¢
221 ¾¤Î¥×¥í¥»¥¹¤ËÉÕÍ¿¤·¤¿¤ê¡¢ºï½ü¤·¤¿¤ê¤Ç¤¤ë¡£
222 (¥«¡¼¥Í¥ë¤¬¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤ë¾ì¹ç¡¢
224 ¤Ï¤³¤ÎÌò³ä¤ò»ý¤¿¤Ê¤¤¡£
225 ¤Ê¤¼¤Ê¤é¡¢¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥µ¥Ý¡¼¥È¤·¤Æ¤¤¤ë¥«¡¼¥Í¥ë¤Ç¤Ï
227 ¤ÏÁ´¤¯Ê̤ΰÕÌ£¤ò»ý¤Ä¤«¤é¤Ç¤¢¤ë¡£)
229 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤ë¾ì¹ç:
230 ¸Æ¤Ó½Ð¤·¸µ¥¹¥ì¥Ã¥É¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤ÎǤ°Õ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò
231 ¼«¿È¤Î·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ËÄɲäǤ¤ë¡£
235 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òºï½ü¤Ç¤¤ë¡£
240 ¥×¥í¥»¥¹¤Î UID ¤ËÂФ¹¤ëǤ°Õ¤ÎÁàºî
246 Unix ¥É¥á¥¤¥ó¥½¥±¥Ã¥È·Ðͳ¤Ç¥½¥±¥Ã¥È¤Î»ñ³Ê¾ðÊó (credential) ¤òÅϤ¹ºÝ¤Ë
247 µ¶¤Î UID ¤òÅϤ¹¤³¤È¤¬¤Ç¤¤ë¡£
248 .\" FIXME CAP_SETUID also an effect in exec(); document this.
254 °Ê²¼¤Î¥·¥¹¥Æ¥à´ÉÍýÍѤÎÁàºî¤ò¼Â¹Ô¤¹¤ë:
261 .BR setdomainname (2).
263 Ǥ°Õ¤Î System V IPC ¥ª¥Ö¥¸¥§¥¯¥È¤ËÂФ¹¤ë
273 ¤ËÂФ¹¤ëÁàºî¤ò¼Â¹Ô¤¹¤ë
277 .BR lookup_dcookie (2)
281 ¤ò»È¤Ã¤Æ I/O ¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥¯¥é¥¹
282 .BR IOPRIO_CLASS_RT ,
285 .RB ( IOPRIO_CLASS_IDLE
286 ¤Ï Linux 2.6.25 ¤è¤êÁ°¤Î¥Ð¡¼¥¸¥ç¥ó¤Î¤ß)¡£
288 ¥½¥±¥Ã¥È¤Î»ñ³Ê¾ðÊó (credential) ¤òÅϤ¹ºÝ¤Ëµ¶¤Î UID ¤òÅϤ¹¡£
290 ¥Õ¥¡¥¤¥ë¤ò¥ª¡¼¥×¥ó¤¹¤ë¥·¥¹¥Æ¥à¥³¡¼¥ë (Î㤨¤Ð
295 ¤Ç¥·¥¹¥Æ¥àÁ´ÂΤǥª¡¼¥×¥ó¤Ç¤¤ë¥Õ¥¡¥¤¥ë¿ô¤Î¾å¸Â
296 .I /proc/sys/fs/file-max
326 ¥«¡¼¥Í¥ë¥â¥¸¥å¡¼¥ë¤Î¥í¡¼¥É¡¢¥¢¥ó¥í¡¼¥É¤ò¹Ô¤¦
327 .RB ( init_module (2)
329 .BR delete_module (2)
331 ¥Ð¡¼¥¸¥ç¥ó 2.6.25 ¤è¤êÁ°¤Î¥«¡¼¥Í¥ë¤Ç¡¢
332 ¥·¥¹¥Æ¥àÁ´ÂΤΥ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È (capability bounding set)
333 ¤«¤é¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò³°¤¹¡£
339 ¥×¥í¥»¥¹¤Î nice Ãͤΰú¤¾å¤²
342 ¤ä¡¢Ç¤°Õ¤Î¥×¥í¥»¥¹¤Î nice ÃͤÎÊѹ¹¤ò¹Ô¤¦¡£
344 ¸Æ¤Ó½Ð¤·¸µ¥×¥í¥»¥¹¤ËÂФ¹¤ë¥ê¥¢¥ë¥¿¥¤¥à¡¦¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥Ý¥ê¥·¡¼¤È¡¢
345 Ǥ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ¹¤ë¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥Ý¥ê¥·¡¼¤ÈÍ¥ÀèÅÙ¤òÀßÄꤹ¤ë
346 .RB ( sched_setscheduler (2),
347 .BR sched_setparam (2))¡£
349 Ǥ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ¹¤ë CPU affinity ¤òÀßÄê¤Ç¤¤ë
350 .RB ( sched_setaffinity (2))¡£
352 Ǥ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ·¤Æ I/O ¥¹¥±¥¸¥å¡¼¥ê¥ó¥°¥¯¥é¥¹¤ÈÍ¥ÀèÅÙ¤òÀßÄê¤Ç¤¤ë
353 .RB ( ioprio_set (2))¡£
355 .BR migrate_pages (2)
356 ¤òǤ°Õ¤Î¥×¥í¥»¥¹¤ËŬÍѤ·¡¢¥×¥í¥»¥¹¤òǤ°Õ¤Î¥Î¡¼¥É¤Ë°ÜÆ°¤¹¤ë¡£
357 .\" FIXME CAP_SYS_NICE also has the following effect for
358 .\" migrate_pages(2):
359 .\" do_migrate_pages(mm, &old, &new,
360 .\" capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE);
363 ¤òǤ°Õ¤Î¥×¥í¥»¥¹¤ËÂФ·¤Æ¹Ô¤¦¡£
380 ¤ò»È¤Ã¤ÆǤ°Õ¤Î¥×¥í¥»¥¹¤ò¥È¥ì¡¼¥¹¤¹¤ë¡£
383 I/O ¥Ý¡¼¥ÈÁàºî¤ò¼Â¹Ô¤¹¤ë
394 ext2 ¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à¾å¤ÎͽÌ󤵤ì¤Æ¤¤¤ëÎΰè¤ò»ÈÍѤ¹¤ë¡£
396 ext3 ¤Î¥¸¥ã¡¼¥Ê¥ëµ¡Ç½¤òÀ©¸æ¤¹¤ë
400 ¥Ç¥£¥¹¥¯ quota ¤Î¾å¸Â¤ò¾å½ñ¤¤¹¤ë¡£
403 .RB ( setrlimit (2))¡£
406 ¥ê¥½¡¼¥¹À©¸Â¤ò¾å½ñ¤¤¹¤ë¡£
408 ¥á¥Ã¥»¡¼¥¸¥¥å¡¼¤Ë´Ø¤¹¤ë¾å¸Â
411 .I /proc/sys/kernel/msgmnb
412 ¤Ë»ØÄꤵ¤ì¤Æ¤¤¤ë¾å¸Â¤è¤ê¤âÂ礤¯ÀßÄꤹ¤ë
421 ¥·¥¹¥Æ¥à¥¯¥í¥Ã¥¯¤òÊѹ¹¤¹¤ë
422 .RB ( settimeofday (2),
425 ¥ê¥¢¥ë¥¿¥¤¥à (¥Ï¡¼¥É¥¦¥§¥¢) ¥¯¥í¥Ã¥¯¤òÊѹ¹¤¹¤ë¡£
427 .B CAP_SYS_TTY_CONFIG
432 ´°Á´¤Ê·Á¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¼ÂÁõ¤¹¤ë¤Ë¤Ï¡¢°Ê²¼¤ÎÍ×·ï¤òËþ¤¿¤¹É¬Íפ¬¤¢¤ë¡§
434 Á´¤Æ¤ÎÆø¢Áàºî¤Ë¤Ä¤¤¤Æ¡¢¥«¡¼¥Í¥ë¤Ï¤½¤Î¥¹¥ì¥Ã¥É¤Î¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë
435 ɬÍפʥ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¤¢¤ë¤«¤ò³Îǧ¤¹¤ë¡£
437 ¥«¡¼¥Í¥ë¤Ç¡¢¤¢¤ë¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤òÊѹ¹¤·¤¿¤ê¡¢
438 ¼èÆÀ¤·¤¿¤ê¤Ç¤¤ë¥·¥¹¥Æ¥à¥³¡¼¥ë¤¬Ä󶡤µ¤ì¤ë¡£
440 ¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à¤¬¡¢¼Â¹Ô²Äǽ¥Õ¥¡¥¤¥ë¤Ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÉÕÍ¿¤Ç¤¡¢¥Õ¥¡¥¤¥ë
441 ¼Â¹Ô»þ¤Ë¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥×¥í¥»¥¹¤¬¼èÆÀ¤Ç¤¤ë¤è¤¦¤Êµ¡Ç½¤ò¥µ¥Ý¡¼¥È¤¹¤ë¡£
443 ¥«¡¼¥Í¥ë 2.6.24 ¤è¤êÁ°¤Ç¤Ï¡¢ºÇ½é¤Î 2¤Ä¤ÎÍ×·ï¤Î¤ß¤¬Ëþ¤¿¤µ¤ì¤Æ¤¤¤ë¡£
444 ¥«¡¼¥Í¥ë 2.6.24 °Ê¹ß¤Ç¤Ï¡¢3¤Ä¤ÎÍ׷魯¤Ù¤Æ¤¬Ëþ¤¿¤µ¤ì¤Æ¤¤¤ë¡£
446 .SS ¥¹¥ì¥Ã¥É¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È
447 ³Æ¥¹¥ì¥Ã¥É¤Ï°Ê²¼¤Î 3¼ïÎà¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ò»ý¤Ä¡£³Æ¡¹¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ï
448 ¾åµ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÁȤ߹ç¤ï¤»¤Ç¤¢¤ë (Á´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Ìµ¸ú¤Ç¤â¤è¤¤)¡£
450 .IR "µö²Ä (permitted)" :
451 ¤½¤Î¥¹¥ì¥Ã¥É¤¬»ý¤Ä¤³¤È¤Ë¤Ê¤Ã¤Æ¤¤¤ë¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î
452 ¸ÂÄêŪ¤Ê¥¹¡¼¥Ñ¡¼¥»¥Ã¥È¤Ç¤¢¤ë¡£
453 ¤³¤ì¤Ï¡¢¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë
455 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤Æ¤¤¤Ê¤¤¥¹¥ì¥Ã¥É¤¬·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë
456 ÄɲòÄǽ¤Ê¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¸ÂÄêŪ¤Ê¥¹¡¼¥Ñ¡¼¥»¥Ã¥È¤Ç¤â¤¢¤ë¡£
458 µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤«¤éºï½ü¤·¤Æ¤·¤Þ¤Ã¤¿¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¡¢
459 (set-user-ID-root ¥×¥í¥°¥é¥à¤«¡¢
460 ¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Çµö²Ä¤·¤Æ¤¤¤ë¥×¥í¥°¥é¥à¤ò
462 ¤·¤Ê¤¤¸Â¤ê¤Ï) ¤â¤¦°ìÅÙ³ÍÆÀ¤¹¤ë¤³¤È¤Ï¤Ç¤¤Ê¤¤¡£
464 .IR "·Ñ¾µ²Äǽ (inheritable)" :
466 ¤òÁ°¸å¤ÇÊÝ»ý¤µ¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ç¤¢¤ë¡£
467 ¤³¤Î»ÅÁȤߤò»È¤¦¤³¤È¤Ç¡¢¤¢¤ë¥×¥í¥»¥¹¤¬
469 ¤ò¹Ô¤¦ºÝ¤Ë¿·¤·¤¤¥×¥í¥°¥é¥à¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤È¤·¤Æ
470 ³ä¤êÅö¤Æ¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ØÄꤹ¤ë¤³¤È¤¬¤Ç¤¤ë¡£
472 .IR "¼Â¸ú (effective)" :
473 ¥«¡¼¥Í¥ë¤¬¥¹¥ì¥Ã¥É¤Î¸¢¸Â (permission) ¤ò¥Á¥§¥Ã¥¯¤¹¤ë¤È¤¤Ë
474 »ÈÍѤ¹¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ç¤¢¤ë¡£
477 ¤ÇºîÀ®¤µ¤ì¤ë»Ò¥×¥í¥»¥¹¤Ï¡¢¿Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î¥³¥Ô¡¼¤ò·Ñ¾µ¤¹¤ë¡£
479 Ãæ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î°·¤¤¤Ë¤Ä¤¤¤Æ¤Ï²¼µ¤ò»²¾È¤Î¤³¤È¡£
482 ¤ò»È¤¦¤È¡¢¥×¥í¥»¥¹¤Ï¼«Ê¬¼«¿È¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È
483 ¤òÁàºî¤¹¤ë¤³¤È¤¬¤Ç¤¤ë (²¼µ»²¾È)¡£
485 .SS ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£
486 ¥«¡¼¥Í¥ë 2.6.24 °Ê¹ß¤Ç¤Ï¡¢
488 ¤ò»È¤Ã¤Æ¼Â¹Ô¥Õ¥¡¥¤¥ë¤Ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤òÂбþÉÕ¤±¤ë¤³¤È¤¬¤Ç¤¤ë¡£
489 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ï
490 .I "security.capability"
491 ¤È¤¤¤¦Ì¾Á°¤Î³Èĥ°À¤ËÊݸ¤µ¤ì¤ë
493 »²¾È)¡£¤³¤Î³Èĥ°À¤Ø¤Î½ñ¤¹þ¤ß¤Ë¤Ï
495 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬É¬ÍפǤ¢¤ë¡£
496 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤È¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎξÊý¤¬
499 ¸å¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬·èÄꤵ¤ì¤ë¡£
501 3 ¤Ä¤Î¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬ÄêµÁ¤µ¤ì¤Æ¤¤¤ë¡£
503 .IR "µö²Ä (Permitted)" " (°ÊÁ°¤Î" "¶¯À© (Forced)" "):"
504 ¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ë´Ø¤ï¤é¤º¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Ë¼«Æ°Åª¤Ë
505 ǧ¤á¤é¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡£
507 .IR "·Ñ¾µ²Äǽ (Inheritable)" " (°ÊÁ°¤Î " "µöÍÆ (Allowed)" "):"
508 ¤³¤Î¥»¥Ã¥È¤È¡¢¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤È¤Î
509 ÏÀÍýÀÑ (AND) ¤¬¤È¤é¤ì¡¢
511 ¤Î¸å¤Ë¤½¤Î¥¹¥ì¥Ã¥É¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ç͸ú¤È¤Ê¤ë
512 ·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬·èÄꤵ¤ì¤ë¡£
514 .IR "¼Â¸ú (Effective)" :
515 ¤³¤ì¤Ï½¸¹ç¤Ç¤Ï¤Ê¤¯¡¢1 ¥Ó¥Ã¥È¤Î¾ðÊó¤Ç¤¢¤ë¡£
516 ¤³¤Î¥Ó¥Ã¥È¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤ë¤È¡¢
518 ¼Â¹ÔÃæ¤Ë¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Î¿·¤·¤¤µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Á´¤Æ
519 ¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£½¸¹ç¤Ë¤ª¤¤¤Æ¤â¥»¥Ã¥È¤µ¤ì¤ë¡£
520 ¤³¤Î¥Ó¥Ã¥È¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢
522 ¸å¤Ë¤Ï¿·¤·¤¤µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¤É¤ì¤â¿·¤·¤¤¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£½¸¹ç
525 ¥Õ¥¡¥¤¥ë¤Î¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ó¥Ã¥È¤ò͸ú¤Ë¤¹¤ë¤È¤¤¤¦¤Î¤Ï¡¢
527 ¼Â¹Ô»þ¤Ë¡¢¥Õ¥¡¥¤¥ë¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤È·Ñ¾µ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ËÂбþ¤¹¤ë¤â¤Î¤¬
528 ¥¹¥ì¥Ã¥É¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤È¤·¤Æ¥»¥Ã¥È¤µ¤ì¤ë¤¬¡¢
529 ¤³¤ì¤¬¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë¤â¥»¥Ã¥È¤µ¤ì¤ë¤È¤¤¤¦¤³¤È¤Ç¤¢¤ë
530 (¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÊÑ´¹¥ë¡¼¥ë¤Ï²¼µ»²¾È)¡£
531 ¤·¤¿¤¬¤Ã¤Æ¡¢¥Õ¥¡¥¤¥ë¤Ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò³ä¤êÅö¤Æ¤ëºÝ
533 .BR cap_set_file (3),
534 .BR cap_set_fd (3))¡¢
535 ¤¤¤º¤ì¤«¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ËÂФ·¤Æ¼Â¸ú¥Õ¥é¥°¤ò͸ú¤È»ØÄꤹ¤ë¾ì¹ç¡¢
536 µö²Ä¥Õ¥é¥°¤ä·Ñ¾µ²Äǽ¥Õ¥é¥°¤ò͸ú¤Ë¤·¤¿Â¾¤ÎÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£
537 ¤Ë¤Ä¤¤¤Æ¤â¼Â¸ú¥Õ¥é¥°¤ò͸ú¤È»ØÄꤷ¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
539 .SS "execve() Ãæ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÊÑ´¹"
542 ¼Â¹Ô»þ¤Ë¡¢¥«¡¼¥Í¥ë¤Ï¥×¥í¥»¥¹¤Î¿·¤·¤¤¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¼¡¤Î
543 ¥¢¥ë¥´¥ê¥º¥à¤òÍѤ¤¤Æ·×»»¤¹¤ë¡§
547 P'(permitted) = (P(inheritable) & F(inheritable)) |
548 (F(permitted) & cap_bset)
550 P'(effective) = F(effective) ? P'(permitted) : 0
552 P'(inheritable) = P(inheritable) [¤Ä¤Þ¤ê¡¢Êѹ¹¤µ¤ì¤Ê¤¤]
556 ³ÆÊÑ¿ô¤Î°ÕÌ£¤Ï°Ê²¼¤ÎÄ̤ê:
560 Á°¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÃÍ
563 ¸å¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÃÍ
565 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÃÍ
567 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤ÎÃÍ (²¼µ»²¾È)
570 .SS ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤È¡¢¥ë¡¼¥È¤Ë¤è¤ë¥×¥í¥°¥é¥à¤Î¼Â¹Ô
572 »þ¤Ë¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ò»È¤Ã¤Æ¡¢Á´¤Æ¤Î¸¢¸Â¤ò»ý¤Ã¤¿
574 ¤ò¼Â¸½¤¹¤ë¤Ë¤Ï¡¢°Ê²¼¤Î¤è¤¦¤Ë¤¹¤ë¡£
576 set-user-ID-root ¥×¥í¥°¥é¥à¤¬¼Â¹Ô¤µ¤ì¤ë¾ì¹ç¡¢
577 ¤Þ¤¿¤Ï¥×¥í¥»¥¹¤Î¼Â¥æ¡¼¥¶ ID ¤¬ 0 (root) ¤Î¾ì¹ç¡¢
578 ¥Õ¥¡¥¤¥ë¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤Èµö²Ä¥»¥Ã¥È¤òÁ´¤Æ 1
579 (Á´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Í¸ú) ¤ËÄêµÁ¤¹¤ë¡£
581 set-user-ID-root ¥×¥í¥°¥é¥à¤¬¼Â¹Ô¤µ¤ì¤ë¾ì¹ç¡¢
582 ¥Õ¥¡¥¤¥ë¤Î¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ó¥Ã¥È¤ò 1 (enabled) ¤ËÄêµÁ¤¹¤ë¡£
584 ¾åµ¤Î¥ë¡¼¥ë¤Ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£ÊÑ´¹¤òŬÍѤ·¤¿·ë²Ì¤ò¤Þ¤È¤á¤ë¤È¡¢
585 ¥×¥í¥»¥¹¤¬ set-user-ID-root ¥×¥í¥°¥é¥à¤ò
587 ¤¹¤ë¾ì¹ç¡¢¤Þ¤¿¤Ï¼Â¸ú UID ¤¬ 0 ¤Î¥×¥í¥»¥¹¤¬¥×¥í¥°¥é¥à¤ò
589 ¤¹¤ë¾ì¹ç¡¢µö²Ä¤È¼Â¸ú¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÁ´¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£
590 (Àµ³Î¤Ë¤Ï¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ë¤è¤ë¥Þ¥¹¥¯¤Ç½ü³°¤µ¤ì¤ë¤â¤Î
591 °Ê³°¤ÎÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£) ¤ò¼èÆÀ¤¹¤ë¤È¤¤¤¦¤³¤È¤Ç¤¢¤ë¡£
592 .\" ¼Â UID ¤¬ 0 ¤Ç¼Â¸ú UID ¤¬ 0 °Ê³°¤Î¥×¥í¥»¥¹¤¬ exec () ¤ò¹Ô¤¦¤È¡¢
593 .\" µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë´Þ¤Þ¤ì¤ëÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£
594 .\" ¤¬¼èÆÀ¤µ¤ì¡¢¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¼èÆÀ¤µ¤ì¤Ê¤¤¡£
595 ¤³¤ì¤Ë¤è¤ê¡¢ÅÁÅýŪ¤Ê Unix ¥·¥¹¥Æ¥à¤ÈƱ¤¸¿¶¤ëÉñ¤¤¤¬¤Ç¤¤ë¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤ë¡£
596 .SS ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È
597 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È (capability bounding set) ¤Ï¡¢
599 »þ¤Ë³ÍÆÀ¤Ç¤¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÀ©¸Â¤¹¤ë¤¿¤á¤Ë»È¤ï¤ì¤ë
600 ¥»¥¥å¥ê¥Æ¥£µ¡¹½¤Ç¤¢¤ë¡£
601 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï°Ê²¼¤Î¤è¤¦¤Ë»ÈÍѤµ¤ì¤ë¡£
604 ¼Â¹Ô»þ¤Ë¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤È
605 ¥Õ¥¡¥¤¥ë¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÏÀÍýÏ (AND) ¤ò¼è¤Ã¤¿¤â¤Î¤¬¡¢
606 ¤½¤Î¥¹¥ì¥Ã¥É¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë³ä¤êÅö¤Æ¤é¤ì¤ë¡£
607 ¤Ä¤Þ¤ê¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï¡¢
608 ¼Â¹Ô¥Õ¥¡¥¤¥ë¤¬Ç§¤á¤Æ¤¤¤ëµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ËÂФ·¤Æ
609 À©¸Â¤ò²Ý¤¹Æ¯¤¤ò¤¹¤ë¡£
612 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï¡¢¥¹¥ì¥Ã¥É¤¬
614 ¤Ë¤è¤ê¼«¿È¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤ËÄɲòÄǽ¤Ê¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÊ콸ÃĤò
616 ¥¹¥ì¥Ã¥É¤Ëµö²Ä¤µ¤ì¤¿¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ç¤¢¤Ã¤Æ¤â¡¢¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ë
617 ´Þ¤Þ¤ì¤Æ¤¤¤Ê¤±¤ì¤Ð¡¢¥¹¥ì¥Ã¥É¤Ï¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¼«¿È¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ë
618 ÄɲäǤ¤º¡¢¤½¤Î·ë²Ì¡¢·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ë¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò´Þ¤à¥Õ¥¡¥¤¥ë¤ò
620 ¤¹¤ë¾ì¹ç¡¢¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òµö²Ä¥»¥Ã¥È¤Ë»ý¤Á³¤±¤ë¤³¤È¤¬¤Ç¤¤Ê¤¤¡¢
623 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤¬¥Þ¥¹¥¯¤ò¹Ô¤¦¤Î¤Ï¡¢·Ñ¾µ²Äǽ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ç¤Ï¤Ê¤¯¡¢
624 ¥Õ¥¡¥¤¥ë¤Îµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¥Þ¥¹¥¯¤ò¹Ô¤¦ÅÀ¤ËÃí°Õ¤¹¤ë¤³¤È¡£
625 ¤¢¤ë¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ë¤½¤Î¥¹¥ì¥Ã¥É¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ë
626 ¸ºß¤·¤Ê¤¤¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬´Þ¤Þ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Ï¡¢
627 ·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ë´Þ¤Þ¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ä¥Õ¥¡¥¤¥ë¤ò¼Â¹Ô¤¹¤ë¤³¤È¤Ë¤è¤ê¡¢
628 µö²Ä¥»¥Ã¥È¤Ë´Þ¤Þ¤ì¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤â³ÍÆÀ¤Ç¤¤ë¤È¤¤¤¦¤³¤È¤Ç¤¢¤ë¡£
630 ¥«¡¼¥Í¥ë¤Î¥Ð¡¼¥¸¥ç¥ó¤Ë¤è¤ê¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï
631 ¥·¥¹¥Æ¥à¶¦Ä̤ΰÀ¤Î¾ì¹ç¤È¡¢¥×¥í¥»¥¹Ã±°Ì¤Î°À¤Î¾ì¹ç¤¬¤¢¤ë¡£
633 .B "Linux 2.6.25 ¤è¤êÁ°¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È"
635 2.6.25 ¤è¤êÁ°¤Î¥«¡¼¥Í¥ë¤Ç¤Ï¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï
636 ¥·¥¹¥Æ¥à¶¦Ä̤ΰÀ¤Ç¡¢¥·¥¹¥Æ¥à¾å¤ÎÁ´¤Æ¤Î¥¹¥ì¥Ã¥É¤ËŬÍѤµ¤ì¤ë¡£
637 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï
638 .I /proc/sys/kernel/cap-bound
639 ¥Õ¥¡¥¤¥ë·Ðͳ¤Ç»²¾È¤Ç¤¤ë¡£
640 (´Ö°ã¤¨¤ä¤¹¤¤¤¬¡¢¤³¤Î¥Ó¥Ã¥È¥Þ¥¹¥¯·Á¼°¤Î¥Ñ¥é¥á¡¼¥¿¤Ï¡¢
641 .I /proc/sys/kernel/cap-bound
642 ¤Ç¤ÏÉä¹æÉÕ¤¤Î½½¿Ê¿ô¤Çɽ¸½¤µ¤ì¤ë¡£)
645 ¥×¥í¥»¥¹¤À¤±¤¬¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ç
646 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥»¥Ã¥È¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
647 ¤½¤ì°Ê³°¤Ç¤Ï¡¢¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶ (¤è¤êÀµ³Î¤Ë¤Ï¡¢
649 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤¿¥×¥í¥°¥é¥à) ¤¬¡¢
650 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¥¯¥ê¥¢¤¬
653 Ä̾ï¤Î¥·¥¹¥Æ¥à¤Ç¤Ï¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï¡¢
656 ¤³¤ÎÀ©¸Â¤ò¼è¤êµî¤ë¤Ë¤Ï (¼è¤êµî¤ë¤Î¤Ï´í¸±!)¡¢
657 .I include/linux/capability.h
660 ¤ÎÄêµÁ¤ò½¤Àµ¤·¡¢¥«¡¼¥Í¥ë¤òºÆ¹½ÃÛ¤¹¤ëɬÍפ¬¤¢¤ë¡£
662 ¥·¥¹¥Æ¥à¶¦Ä̤Υ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥Èµ¡Ç½¤Ï¡¢
663 ¥«¡¼¥Í¥ë 2.2.11 °Ê¹ß¤Ç Linux ¤ËÄɲ䵤줿¡£
666 .B "Linux 2.6.25 °Ê¹ß¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È"
668 Linux 2.6.25 °Ê¹ß¤Ç¤Ï¡¢
669 ¡Ö¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¡×¤Ï¥¹¥ì¥Ã¥Éñ°Ì¤Î°À¤Ç¤¢¤ë
670 (¥·¥¹¥Æ¥à¶¦Ä̤Υ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï¤â¤Ï¤ä¸ºß¤·¤Ê¤¤)¡£
672 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ï
674 »þ¤Ë¤Ï¥¹¥ì¥Ã¥É¤Î¿Æ¥×¥í¥»¥¹¤«¤é·Ñ¾µ¤µ¤ì¡¢
676 ¤ÎÁ°¸å¤Ç¤ÏÊÝ»ý¤µ¤ì¤ë¡£
680 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Ï
684 Áàºî¤ò»È¤Ã¤Æ¼«¿È¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é
685 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òºï½ü¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
686 ¤¤¤Ã¤¿¤ó¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤éºï½ü¤·¤Æ¤·¤Þ¤¦¤È¡¢
687 ¥¹¥ì¥Ã¥É¤Ï¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òºÆÅÙ¥»¥Ã¥È¤¹¤ë¤³¤È¤Ï¤Ç¤¤Ê¤¤¡£
691 Áàºî¤ò»È¤¦¤³¤È¤Ç¡¢¥¹¥ì¥Ã¥É¤¬¤¢¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¼«¿È¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È
692 ¤Ë´Þ¤Þ¤ì¤Æ¤¤¤ë¤«¤òÃΤ뤳¤È¤¬¤Ç¤¤ë¡£
694 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Îºï½ü¤¬¥µ¥Ý¡¼¥È¤µ¤ì¤ë¤Î¤Ï¡¢
695 ¥«¡¼¥Í¥ë¤Î¥³¥ó¥Ñ¥¤¥ë»þ¤Ë¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Í¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¾ì¹ç
696 (CONFIG_SECURITY_FILE_CAPABILITIES) ¤À¤±¤Ç¤¢¤ë¡£
697 ¤³¤Î¾ì¹ç¤Ë¤Ï¡¢ (Á´¤Æ¤Î¥×¥í¥»¥¹¤ÎÀèÁĤǤ¢¤ë)
699 ¥×¥í¥»¥¹¤Ï¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤ÇÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬
700 ¥»¥Ã¥È¤µ¤ì¤¿¾õÂ֤dz«»Ï¤¹¤ë¡£
701 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Í¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ë¤Ï¡¢
703 ¤Ï¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤Ç
705 °Ê³°¤ÎÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥»¥Ã¥È¤µ¤ì¤¿¾õÂ֤dz«»Ï¤¹¤ë¡£
706 ¤³¤Î¤è¤¦¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤Î¤Ï¡¢
708 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥µ¥Ý¡¼¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ë¤Ï
709 °ã¤Ã¤¿°ÕÌ£¤ò»ý¤Ä¤«¤é¤Ç¤¢¤ë¡£
711 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òºï½ü¤·¤Æ¤â¡¢
712 ¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤«¤é¤Ï¤½¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ïºï½ü¤µ¤ì¤Ê¤¤¡£
713 ¤·¤«¤·¤Ê¤¬¤é¡¢¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¤Îºï½ü¤Ë¤è¤ê¡¢
714 ¤³¤ÎÀ褽¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥¹¥ì¥Ã¥É¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤ËÄɲ乤뤳¤È
718 .SS "¥æ¡¼¥¶ ID Êѹ¹¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ø¤Î±Æ¶Á"
719 ¥æ¡¼¥¶ ID ¤¬ 0 ¤È 0 °Ê³°¤Î´Ö¤ÇÊѲ½¤¹¤ëºÝ¤Î¿¶¤ëÉñ¤¤¤ò½¾Íè¤ÈƱ¤¸¤Ë¤¹¤ë¤¿¤á¡¢
720 ¥¹¥ì¥Ã¥É¤Î¼Â UID¡¢¼Â¸ú UID¡¢Êݸ set-user-ID¡¢¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬
723 ¤Ê¤É¤ò»È¤Ã¤Æ) Êѹ¹¤µ¤ì¤¿ºÝ¤Ë¡¢¥«¡¼¥Í¥ë¤Ï¤½¤Î¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë
726 UID ¤ÎÊѹ¹Á°¤Ë¤Ï¼Â UID¡¢¼Â¸ú UID¡¢Êݸ set-user-ID ¤Î¤¦¤Á
727 ¾¯¤Ê¤¯¤È¤â°ì¤Ä¤¬ 0 ¤Ç¡¢Êѹ¹¸å¤Ë¼Â UID¡¢¼Â¸ú UID¡¢Êݸ set-user-ID ¤¬
728 ¤¹¤Ù¤Æ 0 °Ê³°¤ÎÃͤˤʤ俾ì¹ç¡¢µö²Ä¤È¼Â¸ú¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î
729 Á´¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥¯¥ê¥¢¤¹¤ë¡£
731 ¼Â¸ú UID ¤¬ 0 ¤«¤é 0 °Ê³°¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç¡¢
732 ¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÁ´¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¥¯¥ê¥¢¤¹¤ë¡£
734 ¼Â¸ú UID ¤¬ 0 °Ê³°¤«¤é 0 ¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç¡¢
735 µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÆâÍƤò¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ë¥³¥Ô¡¼¤¹¤ë¡£
737 ¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬ 0 ¤«¤é 0 °Ê³°¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç
739 »²¾È)¡¢¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î°Ê²¼¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬¥¯¥ê¥¢¤µ¤ì¤ë:
741 .BR CAP_DAC_OVERRIDE ,
742 .BR CAP_DAC_READ_SEARCH ,
745 .B CAP_LINUX_IMMUTABLE
747 .BR CAP_MAC_OVERRIDE ,
749 (Linux 2.2.30 °Ê¹ß)¡£
750 ¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬ 0 °Ê³°¤«¤é 0 ¤ËÊѹ¹¤µ¤ì¤¿¾ì¹ç¡¢
751 ¾åµ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Î¤¦¤Áµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ç͸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¤â¤Î¤¬
752 ¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ç͸ú¤Ë¤µ¤ì¤ë¡£
754 ³Æ¼ï UID ¤Î¤¦¤Á¾¯¤Ê¤¯¤È¤â°ì¤Ä¤¬ 0 ¤Ç¤¢¤ë¥¹¥ì¥Ã¥É¤¬¡¢
755 ¤½¤Î UID ¤ÎÁ´¤Æ¤¬ 0 °Ê³°¤Ë¤Ê¤Ã¤¿¤È¤¤Ëµö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬
756 ¥¯¥ê¥¢¤µ¤ì¤Ê¤¤¤è¤¦¤Ë¤·¤¿¤¤¾ì¹ç¤Ë¤Ï¡¢
762 .SS ¥×¥í¥°¥é¥à¤Ç¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤òÄ´À°¤¹¤ë
767 ¤ò»È¤Ã¤Æ¡¢¼«¿È¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ò¼èÆÀ¤·¤¿¤êÊѹ¹¤·¤¿¤ê¤Ç¤¤ë¡£
768 ¤¿¤À¤·¡¢¤³¤ì¤ò¹Ô¤¦¤Ë¤Ï¡¢
770 ¥Ñ¥Ã¥±¡¼¥¸¤ÇÄ󶡤µ¤ì¤Æ¤¤¤ë
775 ¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÊѹ¹¤Ë¤Ï°Ê²¼¤Î¥ë¡¼¥ë¤¬Å¬ÍѤµ¤ì¤ë¡£
779 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤Æ¤¤¤Ê¤¤¾ì¹ç¡¢¿·¤·¤¤·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ï¡¢
780 ´û¸¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤Èµö²Ä¥»¥Ã¥È¤ÎÀѽ¸¹ç (AND) ¤ÎÉôʬ½¸¹ç¤Ç
783 (¥«¡¼¥Í¥ë 2.6.25 °Ê¹ß)
784 ¿·¤·¤¤·Ñ¾µ²Äǽ¥»¥Ã¥È¤Ï¡¢´û¸¤Î·Ñ¾µ²Äǽ¥»¥Ã¥È¤È¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦
785 ¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤ÎÀѽ¸¹ç (AND) ¤ÎÉôʬ½¸¹ç¤Ç¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
787 ¿·¤·¤¤µö²Ä¥»¥Ã¥È¤Ï¡¢´û¸¤Îµö²Ä¥»¥Ã¥È¤ÎÉôʬ½¸¹ç¤Ç¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤
788 (¤Ä¤Þ¤ê¡¢¤½¤Î¥¹¥ì¥Ã¥É¤¬¸½ºß»ý¤Ã¤Æ¤¤¤Ê¤¤µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò
789 ³ÍÆÀ¤¹¤ë¤³¤È¤Ï¤Ç¤¤Ê¤¤)¡£
791 ¿·¤·¤¤¼Â¸ú¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Ï¿·¤·¤¤µö²Ä¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤Î
792 Éôʬ½¸¹ç¤Ë¤Ê¤Ã¤Æ¤¤¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¡£
793 .SS securebits ¥Õ¥é¥°: ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤À¤±¤Î´Ä¶¤ò¹½ÃÛ¤¹¤ë
794 .\" For some background:
795 .\" see http://lwn.net/Articles/280279/ and
796 .\" http://article.gmane.org/gmane.linux.kernel.lsm/5476/
797 ¥«¡¼¥Í¥ë 2.6.26 °Ê¹ß¤Ç¡¢
798 ¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Í¸ú¤Ë¤Ê¤Ã¤¿¥«¡¼¥Í¥ë¤Ç¤Ï¡¢
801 ¥Õ¥é¥°¤¬¼ÂÁõ¤µ¤ì¤Æ¤ª¤ê¡¢¤³¤Î¥Õ¥é¥°¤ò»È¤¦¤È UID 0
803 ¤ËÂФ¹¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÎÆÃÊÌ°·¤¤¤ò̵¸ú¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
804 °Ê²¼¤Î¤è¤¦¤Ê¥Õ¥é¥°¤¬¤¢¤ë¡£
807 ¤³¤Î¥Õ¥é¥°¤ò¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢UID ¤¬ 0 ¤Î¥¹¥ì¥Ã¥É¤Î UID ¤¬ 0 °Ê³°¤ÎÃͤË
808 ÀÚ¤êÂؤï¤ëºÝ¤Ë¡¢¤½¤Î¥¹¥ì¥Ã¥É¤Ï¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò°Ý»ý¤¹¤ë¤³¤È¤¬¤Ç¤¤ë¡£
809 ¤³¤Î¥Õ¥é¥°¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤Ê¤¤¾ì¹ç¤Ë¤Ï¡¢UID ¤¬ 0 ¤«¤é 0 °Ê³°¤ÎÃͤË
810 ÀÚ¤êÂؤï¤ë¤È¡¢¤½¤Î¥¹¥ì¥Ã¥É¤ÏÁ´¤Æ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò¼º¤¦¡£
813 »þ¤Ë¤ÏÁ´¤Æ¥¯¥ê¥¢¤µ¤ì¤ë
814 (¤³¤Î¥Õ¥é¥°¤Ï¡¢°ÊÁ°¤Î
818 Áàºî¤ÈƱ¤¸µ¡Ç½¤òÄ󶡤¹¤ë¤â¤Î¤Ç¤¢¤ë)¡£
820 .B SECBIT_NO_SETUID_FIXUP
821 ¤³¤Î¥Õ¥é¥°¤ò¥»¥Ã¥È¤¹¤ë¤È¡¢¥¹¥ì¥Ã¥É¤Î¼Â¸ú UID ¤È¥Õ¥¡¥¤¥ë¥·¥¹¥Æ¥à UID ¤¬
822 0 ¤È 0 °Ê³°¤Î´Ö¤ÇÀÚ¤êÂؤï¤Ã¤¿¾ì¹ç¤Ë¡¢
823 ¥«¡¼¥Í¥ë¤Ï¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ÎÄ´À°¤ò¹Ô¤ï¤Ê¤¯¤Ê¤ë
824 (¡Ö¥æ¡¼¥¶ ID Êѹ¹¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ø¤Î±Æ¶Á¡×¤ÎÀá¤ò»²¾È)¡£
827 ¤³¤Î¥Ó¥Ã¥È¤¬¥»¥Ã¥È¤µ¤ì¤Æ¤¤¤ë¾ì¹ç¡¢
828 set-user-ID-root ¥×¥í¥°¥é¥à¤Î¼Â¹Ô»þ¤ä¡¢
829 ¼Â¸ú UID ¤« ¼Â UID ¤¬ 0 ¤Î¥×¥í¥»¥¹¤¬
831 ¤ò¸Æ¤Ó½Ð¤·¤¿»þ¤Ë¡¢¥«¡¼¥Í¥ë¤Ï¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òµö²Ä¤·¤Ê¤¤
832 (¡Ö¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤È¡¢¥ë¡¼¥È¤Ë¤è¤ë¥×¥í¥°¥é¥à¤Î¼Â¹Ô¡×¤ÎÀá¤ò»²¾È)¡£
834 ¾åµ¤Î "base" ¥Õ¥é¥°¤Î³Æ¡¹¤Ë¤ÏÂбþ¤¹¤ë "locked" ¥Õ¥é¥°¤¬Â¸ºß¤¹¤ë¡£
835 ¤¤¤º¤ì¤Î "locked" ¥Õ¥é¥°¤â°ìÅÙ¥»¥Ã¥È¤µ¤ì¤ë¤ÈÌ᤹¤³¤È¤Ï¤Ç¤¤º¡¢
836 ¤½¤ì°Ê¹ß¤ÏÂбþ¤¹¤ë "base" ¥Õ¥é¥°¤òÊѹ¹¤¹¤ë¤³¤È¤¬¤Ç¤¤Ê¤¯¤Ê¤ë¡£
838 .BR SECBIT_KEEP_CAPS_LOCKED ,
839 .BR SECBIT_NO_SETUID_FIXUP_LOCKED ,
840 .BR SECBIT_NOROOT_LOCKED
850 ¤ò»È¤¦¤³¤È¤ÇÊѹ¹¤·¤¿¤ê¼èÆÀ¤·¤¿¤ê¤Ç¤¤ë¡£
853 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬É¬ÍפǤ¢¤ë¡£
856 ¥Õ¥é¥°¤Ï»Ò¥×¥í¥»¥¹¤Ë·Ñ¾µ¤µ¤ì¤ë¡£
860 ¤¬¾ï¤Ë¥¯¥ê¥¢¤µ¤ì¤ë°Ê³°¤Ï¡¢Á´¤Æ¤Î¥Õ¥é¥°¤¬ÊÝ»ý¤µ¤ì¤ë¡£
862 ¥¢¥×¥ê¥±¡¼¥·¥ç¥ó¤Ï¡¢°Ê²¼¤Î¸Æ¤Ó½Ð¤·¤ò¹Ô¤¦¤³¤È¤Ë¤è¤ê¡¢
863 ¼«Ê¬¼«¿È¤ª¤è¤Ó»Ò¹¤È¤Ê¤ë¥×¥í¥»¥¹Á´¤Æ¤ËÂФ·¤Æ¡¢
864 ɬÍפʥե¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤¿¥×¥í¥°¥é¥à¤ò¼Â¹Ô¤·¤Ê¤¤¸Â¤ê¡¢
865 Âбþ¤¹¤ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò³ÍÆÀ¤Ç¤¤Ê¤¤¤è¤¦¤Ê¾õ¶·¤ËÊĤ¸¤³¤á¤ë¤³¤È¤¬¤Ç¤¤ë¡£
869 prctl(PR_SET_SECUREBITS,
870 SECBIT_KEEP_CAPS_LOCKED |
871 SECBIT_NO_SETUID_FIXUP |
872 SECBIT_NO_SETUID_FIXUP_LOCKED |
874 SECBIT_NOROOT_LOCKED);
879 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ë´Ø¤¹¤ëɸ½à¤Ï¤Ê¤¤¤¬¡¢ Linux ¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÏÇѰƤˤʤä¿
880 POSIX.1e Áð°Æ¤Ë´ð¤Å¤¤¤Æ¼ÂÁõ¤µ¤ì¤Æ¤¤¤ë¡£
881 .I http://wt.xpilot.org/publications/posix.1e/
884 ¥«¡¼¥Í¥ë 2.5.27 °Ê¹ß¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ÏÁªÂò¼°¤Î¥«¡¼¥Í¥ë¥³¥ó¥Ý¡¼¥Í¥ó¥È
885 ¤È¤Ê¤Ã¤Æ¤ª¤ê¡¢¥«¡¼¥Í¥ëÀßÄꥪ¥×¥·¥ç¥ó CONFIG_SECURITY_CAPABILITIES
886 ¤Ë¤è¤ê͸ú/̵¸ú¤òÀÚ¤êÂؤ¨¤ë¤³¤È¤¬¤Ç¤¤ë¡£
888 .I /proc/PID/task/TID/status
889 ¥Õ¥¡¥¤¥ë¤ò»È¤¦¤È¡¢¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤ò¸«¤ë¤³¤È¤¬¤Ç¤¤ë¡£
891 ¥Õ¥¡¥¤¥ë¤Ë¤Ï¡¢¥×¥í¥»¥¹¤Î¥á¥¤¥ó¥¹¥ì¥Ã¥É¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¥»¥Ã¥È¤¬É½¼¨¤µ¤ì¤ë¡£
894 ¥Ñ¥Ã¥±¡¼¥¸¤Ï¡¢¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÀßÄꡦ¼èÆÀ¤¹¤ë¤¿¤á¤Î
895 ¥ë¡¼¥Á¥ó·²¤òÄ󶡤·¤Æ¤¤¤ë¡£¤³¤ì¤é¤Î¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤Ï¡¢
899 ¤¬Ä󶡤¹¤ë¥¤¥ó¥¿¡¼¥Õ¥§¡¼¥¹¤ÈÈæ¤Ù¤Æ¡¢¤è¤ê»È¤¤¤ä¤¹¤¯¡¢Êѹ¹¤µ¤ì¤ë²ÄǽÀ¤¬¾¯¤Ê¤¤¡£
903 ¤È¤¤¤¦¥×¥í¥°¥é¥à¤âÄ󶡤µ¤ì¤Æ¤¤¤ë¡£
905 .I http://www.kernel.org/pub/linux/libs/security/linux-privs
908 ¥Ð¡¼¥¸¥ç¥ó 2.6.24 ¤è¤êÁ°¡¢¤ª¤è¤Ó¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬
909 ͸ú¤Ë¤Ê¤Ã¤Æ¤¤¤Ê¤¤2.6.24 °Ê¹ß¤Î¥«¡¼¥Í¥ë¤Ç¤Ï¡¢
911 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ã¤¿¥¹¥ì¥Ã¥É¤Ï¼«Ê¬°Ê³°¤Î¥¹¥ì¥Ã¥É¤Î
912 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÁàºî¤Ç¤¤ë¡£
913 ¤·¤«¤·¤Ê¤¬¤é¡¢¤³¤ì¤ÏÍýÏÀŪ¤Ë²Äǽ¤È¤¤¤¦¤À¤±¤Ç¤¢¤ë¡£
914 °Ê²¼¤Î¤¤¤º¤ì¤«¤Î¾ì¹ç¤Ë¤ª¤¤¤Æ¤â¡¢¤É¤Î¥¹¥ì¥Ã¥É¤â
916 ¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤ò»ý¤Ä¤³¤È¤Ï¤Ê¤¤¤«¤é¤Ç¤¢¤ë¡£
918 2.6.25 ¤è¤êÁ°¤Î¼ÂÁõ¤Ç¤Ï¡¢¥·¥¹¥Æ¥à¶¦Ä̤Υ±¡¼¥Ñ¥Ó¥ê¥Æ¥£¡¦¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È
919 .I /proc/sys/kernel/cap-bound
920 ¤Ç¤Ï¤³¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤Ï¾ï¤Ë̵¸ú¤Ë¤Ê¤Ã¤Æ¤ª¤ê¡¢
921 ¥½¡¼¥¹¤òÊѹ¹¤·¤Æ¥«¡¼¥Í¥ë¤òºÆ¥³¥ó¥Ñ¥¤¥ë¤·¤Ê¤¤¸Â¤ê¡¢
922 ¤³¤ì¤òÊѹ¹¤¹¤ë¤³¤È¤Ï¤Ç¤¤Ê¤¤¡£
924 ¸½ºß¤Î¼ÂÁõ¤Ç¤Ï¥Õ¥¡¥¤¥ë¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤¬Ìµ¸ú¤Ë¤Ê¤Ã¤Æ¤¤¤ë¾ì¹ç¡¢
925 ¥×¥í¥»¥¹Ëè¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤«¤é¤³¤Î¥±¡¼¥Ñ¥Ó¥ê¥Æ¥£¤òÈ´¤¤¤Æ
928 ¥·¥¹¥Æ¥à¾å¤ÇÀ¸À®¤µ¤ì¤ë¾¤ÎÁ´¤Æ¤Î¥×¥í¥»¥¹¤Ç¤³¤Î¥Ð¥¦¥ó¥Ç¥£¥ó¥°¥»¥Ã¥È¤¬
935 .BR cap_copy_ext (3),
936 .BR cap_from_text (3),
937 .BR cap_get_file (3),
938 .BR cap_get_proc (3),
948 .I include/linux/capability.h