TrustedBSD POSIX.1e Capabilities
POSIX.1e breaks root privilege into a set of capabilities, or more strictly, privileges, which allow the granting of specific privilege requirements for POSIX calls, such as setuid(). POSIX.1e defines extension to process and file state to allow privileges to be granted to processes, either by inheritence or a file privilege model similar to setuid/setgid.
The TrustedBSD capability project is currently inactive, but an implementation of POSIX.1e capabilities for an older FreeBSD release is available and functional, and may be found in Perforce/cvsup. Certain key files are provided in a tarball for download on this page.
The reason that these changes have not yet been integrated into FreeBSD is that they represent a substantial risk, as they change the superuser privilege model, and there have been a number of vulnerabilities in other operating systems relating to both implementation and logic errors with fine-grained privileges, and this implementation has seen insufficient review. Also, the in-kernel API for privilege checking is limited to a 32-bit or 64-bit privilege mask, which does not offer room for sufficient future growth in privileges, or further fine-graining.
Up-to-date versions of the kernel API changes to perform fine-grained privilege checking, without the capability model itself, may be found in the SEBSD branch, and include modifications to the TrustedBSD MAC Framework to allow MAC modules to deny privilege based on the POSIX.1e privilege categories.
2006-03-26 FreeBSD 5.0 POSIX.1e capability reference files snapshot. These are reference BSD-licensed POSIX.1e privilege files derived from an early TrustedBSD implementation, and do not represent a complete or supported implementation. Download.