diff options
Diffstat (limited to 'contrib/capso/README.md')
| -rw-r--r-- | contrib/capso/README.md | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/contrib/capso/README.md b/contrib/capso/README.md new file mode 100644 index 0000000..df2e878 --- /dev/null +++ b/contrib/capso/README.md @@ -0,0 +1,21 @@ +# Leveraging file capabilities on shared libraries + +This directory contains an example of a shared library (`capso.so`) +that can be installed with file capabilities. When the library is +linked against an unprivileged program, it includes internal support +for re-invoking itself as a child subprocess to execute a privileged +operation on bahalf of the parent. + +The idea for doing this was evolved from the way `pam_unix.so` is able +to leverage a separate program, and `libcap`'s recently added support +for supporting binary execution of all the `.so` files built by the +package. + +The actual program example `./bind` leverages the +`"cap_net_bind_service=p"` enabled `./capso.so` file to bind to the +privileged port 80. + +A writeup of how to build and explore the behavior of this example is +provided on the `libcap` distribution website: + +https://sites.google.com/site/fullycapable/capable-shared-objects |