Why are not all permitted capabilities of a linux process effective all the time?

man 7 capabilities documents that the capabilities of a process on a linux box are recored a set of three masks:

  • permitted
  • effective
  • inheritable

I have an idea to what extend the inheritable mask would come to play but I am unclear about why there seems to be a need/use case to separate capabilities that are permitted from those that are effective?

Is there a case that some permitted capabilities are not effective? which could spice up an answer to this question?

Bonus round

Given the case some Capabilities are not effective and yet permitted, what keeps a process from setting them effective? It would seem to me at least that a rougue process would not hesitate to set all what is permitted as effetive, and normaly even attempt to escalate priveledges further?


Category: capabilities Time: 2016-07-28 Views: 0
Tags: capabilities

Related post

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development


Front-end development


development tools

Open Platform

Javascript development

.NET development

cloud computing


Copyright (C) avrocks.com, All Rights Reserved.

processed in 0.112 (s). 12 q(s)