Configuring capabilities instead of setuid binaries
Linux capabilities allow for course-grained kernel security authorizations on the user and application levels. Before capabilities existed, administrators could only grant additional privileges to users through setuid applications: applications which, when executed, inherit the privileges of the owner of the application (usually, root). With capabilities, the set of privileges can be restricted further.
For instance, the ping application can be granted the cap_net_raw capability, so it does not need to be setuid anymore. Depending on the setup, either users need to be granted the possible use of the capability (if the application has the proper flag set) or the capability is granted immediately (regardless of user settings).
How to do it…
To use capabilities with SELinux, execute the following steps:
Enable the capabilities that are needed for an application on the application binary:
~# setcap cap_net_raw+ei /bin/pingFor the users that are...
