From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 5831213827E for ; Tue, 10 Dec 2013 18:39:38 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 72022E0B80; Tue, 10 Dec 2013 18:39:33 +0000 (UTC) Received: from mail-la0-f41.google.com (mail-la0-f41.google.com [209.85.215.41]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 466A7E0ABD for ; Tue, 10 Dec 2013 18:39:31 +0000 (UTC) Received: by mail-la0-f41.google.com with SMTP id eo20so2988309lab.14 for ; Tue, 10 Dec 2013 10:39:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=lJQNUnLBg5Tb7SdfntnD0RC5jWFHS3QmmjaeHXDWRRw=; b=kB91VGBKCGKd7jPy5iDfsYIFlRtPMCqp5IRkH1kHMTwpQRRcZWM0GffZmA1CCP9zv0 JXc9gSuc1Yj22a9tflnDzh3+hHMJGMECje4DN8L8ZKs973BhW4vhLOOUCfpxg0qT4A8o 9lo6hrZysQJ/3WnoI7Kv0t3F+HxS+KW3xEJv2C3KeyzEBb8SuMJO2RmZGcyRLnLynjLw jq8VWoxmXo+YDuAYG93GcuQvPxlwA4vGd47Vh+VinHmp9Ej61uBSVkzC29R1Qt1j9m/j LgTikpH9iGEgu6zSfsVEq5xdFpO2SWhALFqYiDVL7AjTpz1j6pNIxShNAUa1lzdaVrgS XMTQ== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 X-Received: by 10.152.204.39 with SMTP id kv7mr6169286lac.42.1386700770110; Tue, 10 Dec 2013 10:39:30 -0800 (PST) Received: by 10.114.77.10 with HTTP; Tue, 10 Dec 2013 10:39:30 -0800 (PST) In-Reply-To: References: Date: Tue, 10 Dec 2013 12:39:30 -0600 Message-ID: Subject: Re: [gentoo-user] How to grant a CAP_NET_RAW capability to user? From: =?UTF-8?B?Q2FuZWsgUGVsw6FleiBWYWxkw6lz?= To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: c31ee505-c545-4d7a-adea-8a628bcf7591 X-Archives-Hash: 748fcd621596b3f123edcbe1b0695be6 >From man:capabilities(7): "Capabilities are a per-thread attribute." I don't think you can grant any capability to a user. A workaround for what you want is to write a little executable that only execvp's bash (or whatever shell you use), grant that executable CAP_NET_RAW, and then set it as default shell with usermod. Regards. On Tue, Dec 10, 2013 at 12:16 PM, Grant Edwards wrote: > How do you grant a capability (e.g. CAP_NET_RAW) to a user? > > I've been googling and have found countless articles and blog posts > explaining what each capability is and how to grant capabilities to an > executable file. While granting the capability to an executable does > work, that's not what I need to do for a couple different reasons. > > I need to grant the capability to a user, not to the executable. > > There were a couple vague references implying that you can configure > "login to grant the desired capabilities" when a user logs in, but > I've not found any documentation on how to do that. > > I've tried editing /etc/security/capability.conf and adding the line > > cap_net_raw > > But, that doesn't seem to have any effect (yes, I logged out and back > in again). > > -- > Grant Edwards grant.b.edwards Yow! Mary Tyler Moore'= s > at SEVENTH HUSBAND is wea= ring > gmail.com my DACRON TANK TOP in = a > cheap hotel in HONOLUL= U! > > --=20 Canek Pel=C3=A1ez Vald=C3=A9s Posgrado en Ciencia e Ingenier=C3=ADa de la Computaci=C3=B3n Universidad Nacional Aut=C3=B3noma de M=C3=A9xico