| 1 |
On 2013-12-10, Canek Pel??ez Vald??s <caneko@×××××.com> wrote: |
| 2 |
|
| 3 |
>> How do you grant a capability (e.g. CAP_NET_RAW) to a user? |
| 4 |
|
| 5 |
> From man:capabilities(7): "Capabilities are a per-thread attribute." |
| 6 |
> |
| 7 |
> I don't think you can grant any capability to a user. |
| 8 |
|
| 9 |
I've found some indications that you can. Various references to |
| 10 |
PAM_CAP imply that I should be able to do what I want. From |
| 11 |
http://blog.siphos.be/2013/05/restricting-and-granting-capabilities/: |
| 12 |
|
| 13 |
You can also grant capabilities to users selectively, using |
| 14 |
pam_cap.so (the Capabilities Pluggable Authentication Module). |
| 15 |
|
| 16 |
But the example provided only shows how to grant capabilities to a |
| 17 |
user that can then be inherited by files which must also have that |
| 18 |
same capability enabled. That's not quite what I want to do (and it |
| 19 |
doesn't seem to work). |
| 20 |
|
| 21 |
There are two reasons that granting the capability to the executable |
| 22 |
isn't feasible: |
| 23 |
|
| 24 |
1) Some of the programs are written in Python, and I don't want to |
| 25 |
grant the capability to all Python programs by setting the |
| 26 |
capability on /usr/bin/python. |
| 27 |
|
| 28 |
2) Some of the programs are ELF executables (compiled C programs) |
| 29 |
that are under developement and are being continuously re-built |
| 30 |
and re-run. If I have to do a "sudo setcap" everytime I |
| 31 |
compile/run a program, then I might as well just do "sudo |
| 32 |
<program>" the way I do now. |
| 33 |
|
| 34 |
> A workaround for what you want is to write a little executable that |
| 35 |
> only execvp's bash (or whatever shell you use), grant that executable |
| 36 |
> CAP_NET_RAW, and then set it as default shell with usermod. |
| 37 |
|
| 38 |
I thought about that, but that seems fragile. |
| 39 |
|
| 40 |
I supposed I could set the capability on /bin/bash with +p instead of |
| 41 |
+ep, then it should only take effect for users who have the capability |
| 42 |
enabled (though I haven't been able to get that to work yet). |
| 43 |
|
| 44 |
-- |
| 45 |
Grant Edwards grant.b.edwards Yow! My vaseline is |
| 46 |
at RUNNING... |
| 47 |
gmail.com |
Archives