Linux capabilities are here

My thanks to Craig Small for making me aware of how simple Linux capabilities are.  I remember hearing about them from time to time, but they usually got mingled with SELinux in my mind, and I assumed they were just as complicated and troublesome.  Little did I know...

 $ ls -l /bin/ping
-rwxr-xr-x 1 root root 44104 Jun 18 17:37 /bin/ping

Look Ma, no SUID!  I've been using them all this time.  :)

One thing escaped me, though: are capabilities set up at boot time (like sysctl), or are they stored on the filesystem, like the old SUID?  Turns out they are indeed stored, as attributes:

$ lsattr /bin/ping
-------------e-- /bin/ping

Erm, I mean, extended attributes:

 $ getfattr /bin/ping

Oops, getfattr(1) only displays user attributes by default.  My bad:

$ getfattr -m '-' /bin/ping
# file: bin/ping
security.capability

Oops, getfattr only displays the list of attribute names by default.  My bad:

$ getfattr -d -m '-' /bin/ping
# file: bin/ping
security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA=

Huh.  This kinda looks like base64, doesn't it?  Ah, the manpage doesn't really say which encoding is chosen by default.  Let's give this another try:

$ getfattr -d -e hex -m '-' /bin/ping
# file: bin/ping
security.capability=0x0100000200200000000000000000000000000000

There we go.