permission.keepcapspermission.setgrouppermission.setuserpermission.setupcapspermission.setambientcap
This library provides functions to control the process permissions on the system.
Unless otherwise noted, in case of errors, all functions described below return nil, followed by an error message and an error number.
Retains the ability to inherit the current capabilities after changing users.
Must be called before changing users to allow using permission.setupcaps afterwards.
Changes the group of the current process to the group with name group.
Changes the user of the current process to the user with name user.
Sets the current process' effective, inheritable and permitted capabilities to the ones provided.
Each cap is a string representing a capability. This is the same name as the symbol in the kernel, but lowercase and without the CAP_ prefix. I.e. CAP_NET_ADMIN becomes "net_admin".
See the list of supported capabilities bellow.
Adds a capability to the current process' ambient set. This allows other processes we start to inherent these capabilities.
Unlike permission.setupcaps, this function takes a single capability string and adds it to the current set.
See the list of supported capabilities bellow.
- "chown"
- "dac_override"
- "dac_read_search"
- "fowner"
- "fsetid"
- "ipc_lock"
- "ipc_owner"
- "kill"
- "linux_immutable"
- "net_admin"
- "net_bind_service"
- "net_broadcast"
- "net_raw"
- "setgid"
- "setpcap"
- "setuid"
- "sys_admin"
- "sys_boot"
- "sys_chroot"
- "sys_module"
- "sys_nice"
- "sys_pacct"
- "sys_ptrace"
- "sys_rawio"
- "sys_resource"
- "sys_time"
- "sys_tty_config"
- "wake_alarm"
- "lease"
- "mknod"
- "audit_control"
- "audit_write"
- "setfcap"
- "mac_admin"
- "mac_override"
- "syslog"
- "block_suspend"
- "audit_read"