参考: https://man7.org/linux/man-pages/man7/capabilities.7.html
Linux 功能
For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process’s credentials (usually: effective UID, effective GID, and supplementary group list). Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.
权限检查时, 传统的UNIX区分两类进程: 特权进程(UID=0). 非特权进程(UID!=0); 特权进程跳过所有内核检查, 非特权进程需要进行权限检查.
kernel 2.2开始, Linux将与root用户关联的权限区分成不同的单元, 可以独立启用和禁用. 功能面向的对象是线程的.
Capabilities列表:
- CAP_SYS_NICE
- 更改进程的nice值
- 为调用进程设置实时调度策略
- 设置CPU亲和度
- 设置IO
若有收获,就点个赞吧
0 人点赞
