On Tue, Jun 13, 2006 at 04:13:33PM +0400, Dmitry V. Levin wrote:
> On Tue, Jun 13, 2006 at 02:06:48PM +0400, Alexey Tourbin wrote:
> > Из cron.daily нужно запускать программу на шелле (примерно как osec),
> > при этом желательно выполнять программу от псевдопользователя и
> > сбросить все права, кроме CAP_DAC_READ_SEARCH (которые должны быть как у
> > рута).  Как это сделать с помощью libcap-utils?
> > 
> > # sucap at at ls         
> > Caps: =ep cap_setpcap-ep
> 
> Без setpcap с помощью sucap никак не сделать.

А как с setpcap сделать?

# su -l nobody -s /bin/sh -c 'sleep 999999' &
[1] 14437
# /sbin/setpcaps -q cap_dac_read_search=eip $!
[caps set to:
= cap_dac_read_search+eip
]
Failed to set cap's on process `14437': (Operation not permitted)
usage: setcap [-q] (-|<caps>) <pid> [ ... (-|<capsN>) <pid> ]

  This program can be used to set the process capabilities of running
  processes.  In order to work, it needs to be executing with CAP_SETPCAP
  raised, and the only capabilities that this program can bestow on others
  are a subset of its effective set.  This program is mostly intended as an
  example -- a safe use of CAP_SETPCAP has yet to be demonstrated!

[Copyright (c) 1997-8 Andrew G. Morgan  <morgan@linux.kernel.org>]
#