aboutsummaryrefslogtreecommitdiffstats
path: root/chapter06/libcap.xml
blob: 7b6bcabdc4b3489496cbd188c88bf7207e217529 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../general.ent">
  %general-entities;
]>

<sect1 id="ch-system-libcap" role="wrap">
  <?dbhtml filename="libcap.html"?>

  <sect1info condition="script">
    <productname>libcap</productname>
    <productnumber>&libcap-version;</productnumber>
    <address>&libcap-url;</address>
  </sect1info>

  <title>Libcap-&libcap-version;</title>

  <indexterm zone="ch-system-libcap">
    <primary sortas="a-Libcap">Libcap</primary>
  </indexterm>

  <sect2 role="package">
    <title/>

    <para>The Libcap package implements the user-space interfaces to the POSIX
    1003.1e capabilities available in Linux kernels. These capabilities are a
    partitioning of the all powerful root privilege into a set of distinct
    privileges.</para>

    <segmentedlist>
      <segtitle>&buildtime;</segtitle>
      <segtitle>&diskspace;</segtitle>

      <seglistitem>
        <seg>&libcap-ch6-sbu;</seg>
        <seg>&libcap-ch6-du;</seg>
      </seglistitem>
    </segmentedlist>

  </sect2>

  <sect2 role="installation">
    <title>Installation of Libcap</title>

    <para>Prevent a static library from being installed:</para>

<screen><userinput remap="pre">sed -i '/install.*STALIBNAME/d' libcap/Makefile</userinput></screen>

    <para>Compile the package:</para>

<screen><userinput remap="make">make</userinput></screen>

    <para>This package does not come with a test suite.</para>

    <para>Install the package:</para>

<screen><userinput remap="install">make RAISE_SETFCAP=no lib=lib prefix=/usr install
chmod -v 755 /usr/lib/libcap.so.&libcap-version;</userinput></screen>

    <variablelist>
      <title>The meaning of the make option:</title>

      <varlistentry>
        <term><parameter>RAISE_SETFCAP=no</parameter></term>
        <listitem>
          <para>This parameter skips trying to use <command>setcap</command>
          on itself. This avoids an installation error if the kernel or file
          system does not support extended capabilities.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><parameter>lib=lib</parameter></term>
        <listitem>
          <para>This parameter installs the library in
          <filename>$prefix/lib</filename> rather than
          <filename>$prefix/lib64</filename> on x86_64. It has no effect on
          x86.</para>
        </listitem>
      </varlistentry>
 
    </variablelist>

    <para>The shared library needs to be moved to
    <filename class="directory">/lib</filename>, and as a result the
    <filename class="extension">.so</filename> file in
    <filename class="directory">/usr/lib</filename> will need to be recreated:</para>

<screen><userinput remap="install">mv -v /usr/lib/libcap.so.* /lib
ln -sfv ../../lib/$(readlink /usr/lib/libcap.so) /usr/lib/libcap.so</userinput></screen>

  </sect2>

  <sect2 id="contents-libcap" role="content">
    <title>Contents of Libcap</title>

    <segmentedlist>
      <segtitle>Installed programs</segtitle>
      <segtitle>Installed library</segtitle>

      <seglistitem>
        <seg>capsh, getcap, getpcaps, and setcap</seg>
        <seg>libcap.so</seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="capsh">
        <term><command>capsh</command></term>
        <listitem>
          <para>A shell wrapper to explore and constrain capability support</para>
          <indexterm zone="ch-system-libcap capsh">
            <primary sortas="b-capsh">capsh</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="getcap">
        <term><command>getcap</command></term>
        <listitem>
          <para>Examines file capabilities</para>
          <indexterm zone="ch-system-libcap getcap">
            <primary sortas="b-getcap">getcap</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="getpcaps">
        <term><command>getpcaps</command></term>
        <listitem>
          <para>Displays the capabilities on the queried process(es)</para>
          <indexterm zone="ch-system-libcap getpcaps">
            <primary sortas="b-getpcaps">getpcaps</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="setcap">
        <term><command>setcap</command></term>
        <listitem>
          <para>Sets file capabilities</para>
          <indexterm zone="ch-system-libcap setcap">
            <primary sortas="b-setcap">setcap</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libcap">
        <term><filename class="libraryfile">libcap</filename></term>
        <listitem>
          <para>Contains the library functions for manipulating POSIX 1003.1e
          capabilities</para>
          <indexterm zone="ch-system-libcap libcap">
            <primary sortas="c-libcap">libcap</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>