1 |
On 2013-12-10, Canek Pel??ez Vald??s <caneko@×××××.com> wrote: |
2 |
|
3 |
>> How do you grant a capability (e.g. CAP_NET_RAW) to a user? |
4 |
|
5 |
> From man:capabilities(7): "Capabilities are a per-thread attribute." |
6 |
> |
7 |
> I don't think you can grant any capability to a user. |
8 |
|
9 |
I've found some indications that you can. Various references to |
10 |
PAM_CAP imply that I should be able to do what I want. From |
11 |
http://blog.siphos.be/2013/05/restricting-and-granting-capabilities/: |
12 |
|
13 |
You can also grant capabilities to users selectively, using |
14 |
pam_cap.so (the Capabilities Pluggable Authentication Module). |
15 |
|
16 |
But the example provided only shows how to grant capabilities to a |
17 |
user that can then be inherited by files which must also have that |
18 |
same capability enabled. That's not quite what I want to do (and it |
19 |
doesn't seem to work). |
20 |
|
21 |
There are two reasons that granting the capability to the executable |
22 |
isn't feasible: |
23 |
|
24 |
1) Some of the programs are written in Python, and I don't want to |
25 |
grant the capability to all Python programs by setting the |
26 |
capability on /usr/bin/python. |
27 |
|
28 |
2) Some of the programs are ELF executables (compiled C programs) |
29 |
that are under developement and are being continuously re-built |
30 |
and re-run. If I have to do a "sudo setcap" everytime I |
31 |
compile/run a program, then I might as well just do "sudo |
32 |
<program>" the way I do now. |
33 |
|
34 |
> A workaround for what you want is to write a little executable that |
35 |
> only execvp's bash (or whatever shell you use), grant that executable |
36 |
> CAP_NET_RAW, and then set it as default shell with usermod. |
37 |
|
38 |
I thought about that, but that seems fragile. |
39 |
|
40 |
I supposed I could set the capability on /bin/bash with +p instead of |
41 |
+ep, then it should only take effect for users who have the capability |
42 |
enabled (though I haven't been able to get that to work yet). |
43 |
|
44 |
-- |
45 |
Grant Edwards grant.b.edwards Yow! My vaseline is |
46 |
at RUNNING... |
47 |
gmail.com |