2.10. Linux Capabilities (CAP)

2.10.1. Basics

In Linux kernels, all root special rights are grouped in so-called Posix Capabilities, e.g for network administration or full file access. The RSBAC CAP module allows to define a minimum and maximum capability set for both users and programs. Program settings override user settings, and minimum settings override maximum settings.

This module can be used to:

in the standard Linux way. It is thus the only RSBAC module which directly interferes with existing Linux access control.

2.10.2. When to use CAP model

This model should be used whenever you have to do something which is usually forbidden by standard Linux access control, or if you have to run a root daemon, but want to restrict its rights in the rough Posix capability scheme.

CAP is specially useful to give RSBAC administrators, who are not root, read access to all directories so that they can administrate there despite insufficient Linux access modes.

Note

If you only want to partially disable Linux access control for filesystem objects for all users, you might consider to use the generic RSBAC functionality provided for this purpose through the "Allow disabling of Linux filesystem access control" kernel config option.