Now that we have seen details on both models—the traditional UNIX permissions in the previous chapter and the modern POSIX capabilities one in this one, we take a bird's-eye view of the same. The reality of a modern Linux kernel is that the legacy model is actually layered on top of the newer capabilities model; the following table shows this "layering":
Pros and Cons | Model/Attributes |
Simpler, less secure | UNIX Permissions Process and File with UID, GID values embedded |
Process credentials: {RUID, RGID, EUID, EGID} | |
More complex, more secure |
POSIX Capabilities |
Thread Capsets, File Capsets |
|
Per Thread: {Inherited, Permitted, Effective, Bounded, Ambient} capsets Binary File: {Inherited, Permitted, ... |