From: Grant Edwards <grant.b.edwards@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: [gentoo-user] Re: How to grant a CAP_NET_RAW capability to user?
Date: Tue, 10 Dec 2013 18:56:12 +0000 (UTC) [thread overview]
Message-ID: <l87o4b$6ii$1@ger.gmane.org> (raw)
In-Reply-To: CADPrc80ZbUExn7CFq-g5dVY6erT2PwL-jbPTTZfDMNB_1D0TFw@mail.gmail.com
On 2013-12-10, Canek Pel??ez Vald??s <caneko@gmail.com> wrote:
>> How do you grant a capability (e.g. CAP_NET_RAW) to a user?
> From man:capabilities(7): "Capabilities are a per-thread attribute."
>
> I don't think you can grant any capability to a user.
I've found some indications that you can. Various references to
PAM_CAP imply that I should be able to do what I want. From
http://blog.siphos.be/2013/05/restricting-and-granting-capabilities/:
You can also grant capabilities to users selectively, using
pam_cap.so (the Capabilities Pluggable Authentication Module).
But the example provided only shows how to grant capabilities to a
user that can then be inherited by files which must also have that
same capability enabled. That's not quite what I want to do (and it
doesn't seem to work).
There are two reasons that granting the capability to the executable
isn't feasible:
1) Some of the programs are written in Python, and I don't want to
grant the capability to all Python programs by setting the
capability on /usr/bin/python.
2) Some of the programs are ELF executables (compiled C programs)
that are under developement and are being continuously re-built
and re-run. If I have to do a "sudo setcap" everytime I
compile/run a program, then I might as well just do "sudo
<program>" the way I do now.
> A workaround for what you want is to write a little executable that
> only execvp's bash (or whatever shell you use), grant that executable
> CAP_NET_RAW, and then set it as default shell with usermod.
I thought about that, but that seems fragile.
I supposed I could set the capability on /bin/bash with +p instead of
+ep, then it should only take effect for users who have the capability
enabled (though I haven't been able to get that to work yet).
--
Grant Edwards grant.b.edwards Yow! My vaseline is
at RUNNING...
gmail.com
next prev parent reply other threads:[~2013-12-10 18:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-10 18:16 [gentoo-user] How to grant a CAP_NET_RAW capability to user? Grant Edwards
2013-12-10 18:39 ` Canek Peláez Valdés
2013-12-10 18:56 ` Grant Edwards [this message]
2013-12-10 19:40 ` [gentoo-user] " Canek Peláez Valdés
2013-12-10 20:07 ` Grant Edwards
2013-12-10 19:39 ` Grant Edwards
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='l87o4b$6ii$1@ger.gmane.org' \
--to=grant.b.edwards@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox