This file is automatically generated from capbase by capdump. Do not modify, unless you want your changes discarded. Generated at Sat May 15 14:25:27 MET DST 1999 on Linux atrey 2.0.35 #4 Thu Sep 24 20:10:58 MET DST 1998 i586.

Programs and capabilities they need

ProgramsWhich are good forCaps neededFS rights neededComment
ping, tracerouteping programsNET_RAW, NET_BROADCASTnone. (sure!) (maybe less?)
fpingping programsNET_RAW, NET_BROADCASTnone. (maybe less?) (does getuid and expects 0)
mount, umount, fdmountmount utilitiesSYS_ADMINnone.
su, loginuser loginSETUID, SETGIDro /etc/shadow.
newgrpgroup loginSETGIDro /etc/gshadow.
rcp, rlogin, rsh, ssh1remote loginNET_BIND_SERVICEnone. (sure!)
cons.savervcsa access wrapper for midnightnonerw /dev/vcsa*Older versions of cons.saver need r/w access to /dev/tty, fixed in 4.5.32. (sure!)
gpasswdsetting of group informationnonerw /etc/{group,gshadow}.
chfn, chsh, passwd, chagesetting of user informationnonerw /etc/{passwd,shadow}.
screen, xtermterminalsnonerw /var/run/{utmp,wtmp}.
ncpmount, ncpumount, nwsfindnetware utilitiesSYS_ADMIN, NET_RAWnone. (maybe less?)
XF86_*, XwrapperX-windows serversNET_BIND_SERVICE, SYS_RAWIOnone. (does getuid and expects 0)
lpr, lprm, lpq, lpcprinter spoolingnonerw *I'm not sure what they really need to access
sendmailmail handlerNET_BIND_SERVICEnone. (sure!)
procmailmail deliverySETUIDrw *I'm not sure about this one
at, crontabScheduling of jobs for later executionnonerw *They only need special fs rights but I'm not sure which rights. Unfortunately, breaking into these gives you full root few seconds later, so...
suidperl, sperl*Perl setuid handlerALLALLNo workaround for this one, they really need full root by design.
pppdPoint-to-point protocol handlernonenoneIt is setuid root but executable only by group root. I wonder what this can be good for?
dga, xload, expiryMiscelausnonenoneprobably unneccessary
zgvSVGAlib programsnonenoneThese programs are unsafe by design. They usually drop uid0 at the beggining, but that is not enough as they keep /dev/kmem open. Bad, bad. [They would like SYS_RAWIO and rw /dev/kmem for their function, but as they are designed to be security hole I think we better warn about them.]
initSystem runlevel changerALLALL. (daemon)
gpm, syslogd, klogd, cardmgr, bdflush, *getty, cronBasic system daemonsALLALL. (daemon)
portmapPort mapping service for rpcNET_BIND_SERVICEnone. (daemon)
inetd, munetdLaunchers of other daemonsALLALL. (daemon)
sshd, rpc.nfsd, rpc.mountd, rpc.rstatd, ftpd, in.telnetd, in.rshd, in.rlogind, in.rexecd, in.ntalkd, in.talkd, bootps, cucipop, *finger*internet servicesALLALLI'm sure some of these can run with lower priviledges (daemon)
identd, tftpinternet servicesnonenoneThese are internet services that were configure to run non-root on my system (daemon)
*unknown to menonenoneI do not know this programs, feel free to add them to capbase.txt and mail me resulting file

[meta-]Created by Pavel Machek.