unable to include capability.h

Daniel Lezcano daniel.lezcano at free.fr
Tue Jun 16 09:32:13 UTC 2009


Steve Grubb wrote:
> On Friday 12 June 2009 09:02:39 am Daniel Lezcano wrote:
>   
>> As I only need the CAP_SYS_BOOT, I will define it manually in the source
>> code and will remove the include, that's ugly but anyway... :/
>>     
>
> Alternately....as of today, libcap-ng is now in Fedora. It has a far simpler 
> API and you should be able to do things in 2-3 lines of code. For example, if 
> you wanted to use it to retain only CAP_SYS_BOOT, the code would be:
>
> capng_clear(CAPNG_SELECT_BOTH);
> capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_BOOT);
> capng_apply(CAPNG_SELECT_CAPS);
>
> You're done. If you know you application has no children, then you would want 
> to change the last line to use CAPNG_SELECT_BOTH so that the bounding set is 
> cleared. libcap-ng has 1 relocation and libcap has 35, so it starts up faster. 
> Its also smaller in size and has better analysis tools.
>
> More info can be found here:
> http://people.redhat.com/sgrubb/libcap-ng/
>
> I'll be setting up a Fedora 12 project in the next few days to drop privs 
> everywhere.
>   
Interesting. Thanks for the information.

  -- Daniel




More information about the fedora-devel-list mailing list