Start as root, either by authenticating as root or executing a setuid root binary.
通过根用户身份或者执行setuid root二进制文件,作为根进程启动。
The file effective set will be full on if the process's effective uid is root or the file is setuid root.
如果进程的有效uid是根用户,或者文件是setuid root,那么文件有效集就是满的。
This set of rules allows a process to have capabilities either by virtue of being root or by running a setuid root file.
这套规则让进程可以根据根用户或者通过运行setuid root文件拥有能力。
The file inheritable and permitted sets will be full on if the process's real or effective uid is 0 (root) or the file is setuid root.
如果进程的真实uid或有效uid是0(根用户),或者文件是setuid root,那么文件的可继承集和允许集就是满的。
Nevertheless, file capabilities applied judiciously to system binaries in place of making them setuid root can help protect your systems.
无论如何,对系统二进制代码谨慎地应用文件能力,用这种方式替代setuid root方式,可以更好地保护系统。
But a significant contributing factor is that Sendmail is often installed as a monolithic "setuid root" program, with complete control over the system it runs on.
不过,一个重要的作用因素是,Sendmail经常被安装为一个单一的“setuid root”程序,对运行它的系统有完全的控制权限。
For example, a program that needs a single root privilege may get started as root (say, by being setuid root) and then switch to running as a less-privileged user.
例如,需要个别的root特权的程序可能以root身份启动(比如说,通过成为setuid root)然后切换到以较少特权用户身份运行。
The quickest way to check whether at could be made to run by a non-root user without being setuid root is to remove the setuid bit and then grant it all capabilities.
要想查明非根用户是否可以运行不带setuid位的at,最快的方法是删除 setuid 位,然后授予所有能力
The UNIX passwd command is an example; it's a command-line tool with special privileges to change the password (setuid root), but the only thing it can do is change passwords.
UNIX的passwd命令就是一个例子;它是一个具有特定特权的命令行工具,用于修改密码(setuid root),但是它所能做的只是修改密码。
In another window, as non-root, execute the ping binary without the setuid bit set.
在另一个窗口中,作为非根用户执行没有设置setui d位的ping二进制程序。
On top of this, distributions sometimes apply their own patches, which can make it impossible to replace the root setuid bit with file capabilities in some situations.
发行版有时候会在此之上应用它们自己的补丁,所以在某些情况下不可能用文件能力替代setuid 位。
On top of this, distributions sometimes apply their own patches, which can make it impossible to replace the root setuid bit with file capabilities in some situations.
发行版有时候会在此之上应用它们自己的补丁,所以在某些情况下不可能用文件能力替代setuid 位。
应用推荐