1 |
From man:capabilities(7): "Capabilities are a per-thread attribute." |
2 |
|
3 |
I don't think you can grant any capability to a user. A workaround for |
4 |
what you want is to write a little executable that only execvp's bash |
5 |
(or whatever shell you use), grant that executable CAP_NET_RAW, and |
6 |
then set it as default shell with usermod. |
7 |
|
8 |
Regards. |
9 |
|
10 |
On Tue, Dec 10, 2013 at 12:16 PM, Grant Edwards |
11 |
<grant.b.edwards@×××××.com> wrote: |
12 |
> How do you grant a capability (e.g. CAP_NET_RAW) to a user? |
13 |
> |
14 |
> I've been googling and have found countless articles and blog posts |
15 |
> explaining what each capability is and how to grant capabilities to an |
16 |
> executable file. While granting the capability to an executable does |
17 |
> work, that's not what I need to do for a couple different reasons. |
18 |
> |
19 |
> I need to grant the capability to a user, not to the executable. |
20 |
> |
21 |
> There were a couple vague references implying that you can configure |
22 |
> "login to grant the desired capabilities" when a user logs in, but |
23 |
> I've not found any documentation on how to do that. |
24 |
> |
25 |
> I've tried editing /etc/security/capability.conf and adding the line |
26 |
> |
27 |
> cap_net_raw <username> |
28 |
> |
29 |
> But, that doesn't seem to have any effect (yes, I logged out and back |
30 |
> in again). |
31 |
> |
32 |
> -- |
33 |
> Grant Edwards grant.b.edwards Yow! Mary Tyler Moore's |
34 |
> at SEVENTH HUSBAND is wearing |
35 |
> gmail.com my DACRON TANK TOP in a |
36 |
> cheap hotel in HONOLULU! |
37 |
> |
38 |
> |
39 |
|
40 |
|
41 |
|
42 |
-- |
43 |
Canek Peláez Valdés |
44 |
Posgrado en Ciencia e Ingeniería de la Computación |
45 |
Universidad Nacional Autónoma de México |