From: Andreas Gruenbacher Subject: Disable file capabilities by default Patch-mainline: probably never Disable file capabilities by default: we are still lacking documentation and file capability awareness in system management tools. Signed-off-by: Andreas Gruenbacher --- Documentation/kernel-parameters.txt | 8 +++++++- kernel/capability.c | 9 ++++++++- 2 files changed, 15 insertions(+), 2 deletions(-) --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -1659,7 +1659,13 @@ and is between 256 and 4096 characters. no_file_caps Tells the kernel not to honor file capabilities. The only way then for a file to be executed with privilege - is to be setuid root or executed by root. + is to be setuid root or executed by root. They + default to disabled. + + file_caps Tells the kernel to honor file capabilities. The + only way then for a file to be executed with privilege + is to be setuid root or executed by root. They default + to disabled. nohalt [IA-64] Tells the kernel not to use the power saving function PAL_HALT_LIGHT when idle. This increases --- a/kernel/capability.c +++ b/kernel/capability.c @@ -28,7 +28,7 @@ EXPORT_SYMBOL(__cap_empty_set); EXPORT_SYMBOL(__cap_full_set); EXPORT_SYMBOL(__cap_init_eff_set); -int file_caps_enabled = 1; +int file_caps_enabled; static int __init file_caps_disable(char *str) { @@ -37,6 +37,13 @@ static int __init file_caps_disable(char } __setup("no_file_caps", file_caps_disable); +static int __init file_caps_enable(char *str) +{ + file_caps_enabled = 1; + return 1; +} +__setup("file_caps", file_caps_enable); + /* * More recent versions of libcap are available from: *