I wonder if anyone could assist with some problems I'm having with Linux Capabilities and their use when using the commands "nice" and "schedtool".
I run a couple of PCs, one is an elderly AMD Sempron 2800+ (32-bit, 2GHz clock and 3GB memory) that is used as a family multimedia system running mythTV. The other is an AMD Phenom II X3 (64-bit, three core, 2.5GHz, 4GB memory). Both systems run Ubuntu 10.04 LTS 32-bit and 64-bit versions respectively.
Ever since upgrading both systems to 10.04 I have had persistent, initially severe stuttering audio when using Rhythmbox and, on the media PC only, lesser problems with stuttering TV playback with mythTV. When I reverted from pulseaudio to ALSA, the severe problems with rhythmbox were cured on the desktop PC and alleviated on the media PC.
I am now attempting deal with the remaining problems on the media PC and, using rhythmbox as a guinea pig, I would like to try running rhythmbox either with a lower nice setting or scheduled as a real time process (SCHED_RR).
I wrote a (very short) script containing "nice --adjustment=-10 rhythmbox", gave the script execute and setuid root priviledges and called it. Gnome objected to this telling me that, as a matter of policy, gnome will not run any process as root.
Further research suggested that I needed instead to give the script file the capability cap_sys_nice+eip. The script's nice call was rejected due "insufficient privilege".
I've therefore written the following trivial script, test-file-caps:
and here is an example of it's use. You will see that despite the file having the cap_sys_nice capability, that capability is not present when it executes.
Code:
mike@orion:~/scripts$ ls -l ./test-file-caps
-rwxr--r-- 1 mike mike 167 2012-02-08 16:12 ./test-file-caps
mike@orion:~/scripts$ getcap ./test-file-caps
./test-file-caps = cap_sys_nice+eip
mike@orion:~/scripts$ ./test-file-caps
nice replies:
nice: cannot set niceness: Permission denied
capsh replies:
Current: =
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,
cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,
cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,
cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,
cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,
cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,
cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,
cap_mac_admin
Securebits: 00/0x0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=1000
mike@orion:~/scripts$
Can anyone please give me any suggestions or pointers to information that I'm lacking.
We are looking into buying a new software, billing software that is, and want to know if you can run that on the same UNIX server as another major software?
Is there a limit to the different types of software Unix can run, or is it like windows where you can install as many as you like?
... (2 Replies)
Hi there.
I've been tasked with making a new design for our Unix systems :eek:
Now the question I have is;
How many LPARs can a p570 hold WITHOUT using a VIO Server.
Many Thanks
Kees (1 Reply)
Hi.
I downloaded a package that could only be installed on RHEL5, and not 4 or 3, so I got the source in order to compile it on RHEL 3 so hopefully it will work on all versions.
So I have the source for a working package, but when I build it in RHEL 3 and then try to install it in RHEL 5, it... (6 Replies)
I have been a SCO UNIX user, never an administrator...so I am stumbling around looking for information.
I don't know too much about what is onboard in terms of hardware, however; I will try my best.
We have SCO 5.07 and have applied MP5.
We have a quad core processor with 4 250 GB... (1 Reply)
Hi
I'm trying to compile my linux kernel with CONFIG_SECURITY_CAPABILITIES=y.
any idea what this thing does ??
Also another question , If I compile the kernel that I'm currently using , what'll happen ?
~cheers (3 Replies)
Quite an obscure question I think.
We have a rebuild process for remote sites that allows us to PXE rebuild a till (actually a PC with a touch screen and various fancy bits) running CentOS. The current CentOS5 tills work just fine with a tar image restore and some personalisation. Sadly,... (4 Replies)
Discussion started by: rbatte1
4 Replies
LEARN ABOUT XFREE86
capsh
CAPSH(1) User Commands CAPSH(1)NAME
capsh - capability shell wrapper
SYNOPSIS
capsh [OPTION]...
DESCRIPTION
Linux capability support and use can be explored and constrained with this tool. This tool provides a handy wrapper for certain types of
capability testing and environment creation. It also provides some debugging features useful for summarizing capability state.
OPTIONS
The tool takes a number of optional arguments, acting on them in the order they are provided. They are as follows:
--print Display prevailing capability and related state.
-- [args] Execute /bin/bash with trailing arguments. Note, you can use -c 'command to execute' for specific commands.
== Execute capsh again with remaining arguments. Useful for testing exec() behavior.
--caps=cap-set Set the prevailing process capabilities to those specified by cap-set. Where cap-set is a text-representation of
capability state as per cap_from_text(3).
--drop=cap-list Remove the listed capabilities from the prevailing bounding set. The capabilities are a comma separated list of capa-
bilities as recognized by the cap_from_name(3) function. Use of this feature requires that the capsh program is oper-
ating with CAP_SETPCAP in its effective set.
--inh=cap-list Set the inheritable set of capabilities for the current process to equal those provided in the comma separated list.
For this action to succeed, the prevailing process should already have each of these capabilities in the union of the
current inheritable and permitted capability sets, or the capsh program is operating with CAP_SETPCAP in its effec-
tive set.
--user=username Assume the identity of the named user. That is, look up the user's uid and gid with getpwuid(3) and their group mem-
berships with getgrouplist(3) and set them all.
--uid=id Force all uid values to equal id using the setuid(2) system call.
--gid=<id> Force all gid values to equal id using the setgid(2) system call.
--groups=<id-list> Set the supplementary groups to the numerical list provided. The groups are set with the setgroups(2) system call.
--keep=<0|1> In a non-pure capability mode, the kernel provides liberal privilege to the super-user. However, it is normally the
case that when the super-user changes uid to some lesser user, then capabilities are dropped. For these situations,
the kernel can permit the process to retain its capabilities after a setuid(2) system call. This feature is known as
keep-caps support. The way to activate it using this script is with this argument. Setting the value to 1 will cause
keep-caps to be active. Setting it to 0 will cause keep-caps to deactivate for the current process. In all cases,
keep-caps is deactivated when an exec() is performed. See --secbits for ways to disable this feature.
--secbits=N XXX - need to document this feature.
--chroot=path Execute the chroot(2) system call with the new root-directory (/) equal to path. This operation requires
CAP_SYS_CHROOT to be in effect.
--forkfor=sec
--killit=sig
--decode=N This is a convenience feature. If you look at /proc/1/status there are some capability related fields of the follow-
ing form:
CapInh: 0000000000000000
CapPrm: ffffffffffffffff
CapEff: fffffffffffffeff
CapBnd: ffffffffffffffff
This option provides a quick way to decode a capability vector represented in this form. For example, the missing
capability from this effective set is 0x0100. By running:
capsh --decode=0x0100
we observe that the missing capability is: cap_setpcap.
--supports=xxx As the kernel evolves, more capabilities are added. This option can be used to verify the existence of a capability
on the system. For example, --supports=cap_syslog will cause capsh to promptly exit with a status of 1 when run on
kernel 2.6.27. However, when run on kernel 2.6.38 it will silently succeed.
EXIT STATUS
Following successful execution the tool exits with status 0. Following an error, the tool immediately exits with status 1.
AUTHOR
Written by Andrew G. Morgan <morgan@kernel.org>.
REPORTING BUGS
Please report bugs to the author.
SEE ALSO libcap(3), getcap(8),setcap(8) and capabilities(7).
libcap 2 2011-04-24 CAPSH(1)
02-08-2012
