Re: [gentoo-user] How to grant a CAP_NET_RAW capability to user?

["Canek Peláez Valdés" <caneko@gmail.com>]

From man:capabilities(7): "Capabilities are a per-thread attribute."

I don't think you can grant any capability to a user. A workaround for
what you want is to write a little executable that only execvp's bash
(or whatever shell you use), grant that executable CAP_NET_RAW, and
then set it as default shell with usermod.

Regards.

On Tue, Dec 10, 2013 at 12:16 PM, Grant Edwards
<grant.b.edwards@gmail.com> wrote:
> How do you grant a capability (e.g. CAP_NET_RAW) to a user?
>
> I've been googling and have found countless articles and blog posts
> explaining what each capability is and how to grant capabilities to an
> executable file.  While granting the capability to an executable does
> work, that's not what I need to do for a couple different reasons.
>
> I need to grant the capability to a user, not to the executable.
>
> There were a couple vague references implying that you can configure
> "login to grant the desired capabilities" when a user logs in, but
> I've not found any documentation on how to do that.
>
> I've tried editing /etc/security/capability.conf and adding the line
>
>   cap_net_raw   <username>
>
> But, that doesn't seem to have any effect (yes, I logged out and back
> in again).
>
> --
> Grant Edwards               grant.b.edwards        Yow! Mary Tyler Moore's
>                                   at               SEVENTH HUSBAND is wearing
>                               gmail.com            my DACRON TANK TOP in a
>                                                    cheap hotel in HONOLULU!
>
>



-- 
Canek Peláez Valdés
Posgrado en Ciencia e Ingeniería de la Computación
Universidad Nacional Autónoma de México