* [gentoo-user] How to grant a CAP_NET_RAW capability to user?
@ 2013-12-10 18:16 Grant Edwards
2013-12-10 18:39 ` Canek Peláez Valdés
2013-12-10 19:39 ` Grant Edwards
0 siblings, 2 replies; 6+ messages in thread
From: Grant Edwards @ 2013-12-10 18:16 UTC (permalink / raw
To: gentoo-user
How do you grant a capability (e.g. CAP_NET_RAW) to a user?
I've been googling and have found countless articles and blog posts
explaining what each capability is and how to grant capabilities to an
executable file. While granting the capability to an executable does
work, that's not what I need to do for a couple different reasons.
I need to grant the capability to a user, not to the executable.
There were a couple vague references implying that you can configure
"login to grant the desired capabilities" when a user logs in, but
I've not found any documentation on how to do that.
I've tried editing /etc/security/capability.conf and adding the line
cap_net_raw <username>
But, that doesn't seem to have any effect (yes, I logged out and back
in again).
--
Grant Edwards grant.b.edwards Yow! Mary Tyler Moore's
at SEVENTH HUSBAND is wearing
gmail.com my DACRON TANK TOP in a
cheap hotel in HONOLULU!
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [gentoo-user] How to grant a CAP_NET_RAW capability to user? 2013-12-10 18:16 [gentoo-user] How to grant a CAP_NET_RAW capability to user? Grant Edwards @ 2013-12-10 18:39 ` Canek Peláez Valdés 2013-12-10 18:56 ` [gentoo-user] " Grant Edwards 2013-12-10 19:39 ` Grant Edwards 1 sibling, 1 reply; 6+ messages in thread From: Canek Peláez Valdés @ 2013-12-10 18:39 UTC (permalink / raw To: gentoo-user From man:capabilities(7): "Capabilities are a per-thread attribute." I don't think you can grant any capability to a user. A workaround for what you want is to write a little executable that only execvp's bash (or whatever shell you use), grant that executable CAP_NET_RAW, and then set it as default shell with usermod. Regards. On Tue, Dec 10, 2013 at 12:16 PM, Grant Edwards <grant.b.edwards@gmail.com> wrote: > How do you grant a capability (e.g. CAP_NET_RAW) to a user? > > I've been googling and have found countless articles and blog posts > explaining what each capability is and how to grant capabilities to an > executable file. While granting the capability to an executable does > work, that's not what I need to do for a couple different reasons. > > I need to grant the capability to a user, not to the executable. > > There were a couple vague references implying that you can configure > "login to grant the desired capabilities" when a user logs in, but > I've not found any documentation on how to do that. > > I've tried editing /etc/security/capability.conf and adding the line > > cap_net_raw <username> > > But, that doesn't seem to have any effect (yes, I logged out and back > in again). > > -- > Grant Edwards grant.b.edwards Yow! Mary Tyler Moore's > at SEVENTH HUSBAND is wearing > gmail.com my DACRON TANK TOP in a > cheap hotel in HONOLULU! > > -- Canek Peláez Valdés Posgrado en Ciencia e Ingeniería de la Computación Universidad Nacional Autónoma de México ^ permalink raw reply [flat|nested] 6+ messages in thread
* [gentoo-user] Re: How to grant a CAP_NET_RAW capability to user? 2013-12-10 18:39 ` Canek Peláez Valdés @ 2013-12-10 18:56 ` Grant Edwards 2013-12-10 19:40 ` Canek Peláez Valdés 0 siblings, 1 reply; 6+ messages in thread From: Grant Edwards @ 2013-12-10 18:56 UTC (permalink / raw To: gentoo-user On 2013-12-10, Canek Pel??ez Vald??s <caneko@gmail.com> wrote: >> How do you grant a capability (e.g. CAP_NET_RAW) to a user? > From man:capabilities(7): "Capabilities are a per-thread attribute." > > I don't think you can grant any capability to a user. I've found some indications that you can. Various references to PAM_CAP imply that I should be able to do what I want. From http://blog.siphos.be/2013/05/restricting-and-granting-capabilities/: You can also grant capabilities to users selectively, using pam_cap.so (the Capabilities Pluggable Authentication Module). But the example provided only shows how to grant capabilities to a user that can then be inherited by files which must also have that same capability enabled. That's not quite what I want to do (and it doesn't seem to work). There are two reasons that granting the capability to the executable isn't feasible: 1) Some of the programs are written in Python, and I don't want to grant the capability to all Python programs by setting the capability on /usr/bin/python. 2) Some of the programs are ELF executables (compiled C programs) that are under developement and are being continuously re-built and re-run. If I have to do a "sudo setcap" everytime I compile/run a program, then I might as well just do "sudo <program>" the way I do now. > A workaround for what you want is to write a little executable that > only execvp's bash (or whatever shell you use), grant that executable > CAP_NET_RAW, and then set it as default shell with usermod. I thought about that, but that seems fragile. I supposed I could set the capability on /bin/bash with +p instead of +ep, then it should only take effect for users who have the capability enabled (though I haven't been able to get that to work yet). -- Grant Edwards grant.b.edwards Yow! My vaseline is at RUNNING... gmail.com ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] Re: How to grant a CAP_NET_RAW capability to user? 2013-12-10 18:56 ` [gentoo-user] " Grant Edwards @ 2013-12-10 19:40 ` Canek Peláez Valdés 2013-12-10 20:07 ` Grant Edwards 0 siblings, 1 reply; 6+ messages in thread From: Canek Peláez Valdés @ 2013-12-10 19:40 UTC (permalink / raw To: gentoo-user On Tue, Dec 10, 2013 at 12:56 PM, Grant Edwards <grant.b.edwards@gmail.com> wrote: > On 2013-12-10, Canek Pel??ez Vald??s <caneko@gmail.com> wrote: > >>> How do you grant a capability (e.g. CAP_NET_RAW) to a user? > >> From man:capabilities(7): "Capabilities are a per-thread attribute." >> >> I don't think you can grant any capability to a user. > > I've found some indications that you can. Various references to > PAM_CAP imply that I should be able to do what I want. From > http://blog.siphos.be/2013/05/restricting-and-granting-capabilities/: > > You can also grant capabilities to users selectively, using > pam_cap.so (the Capabilities Pluggable Authentication Module). I think my proposal could be implemented using PAM, but it would be the same, I suppose. > But the example provided only shows how to grant capabilities to a > user that can then be inherited by files which must also have that > same capability enabled. That's not quite what I want to do (and it > doesn't seem to work). The restriction to files already having the capability is for security reasons, obviously: if a user has certain capability, and she forgets to change the others access to some executable, then anyone has the capability (if I understand correctly). > There are two reasons that granting the capability to the executable > isn't feasible: > > 1) Some of the programs are written in Python, and I don't want to > grant the capability to all Python programs by setting the > capability on /usr/bin/python. Again, create an executable with CAP_SETPCAP that executes the Python programs and sets the capabilities for the running program. > 2) Some of the programs are ELF executables (compiled C programs) > that are under developement and are being continuously re-built > and re-run. If I have to do a "sudo setcap" everytime I > compile/run a program, then I might as well just do "sudo > <program>" the way I do now. You can create (once) an executable with CAP_SETFCAP, which your build system calls automatically every time you recompile and that sets the CAP_NET_RAW capability for the resulting executable. Not very secure anyway, but I think it could work. >> A workaround for what you want is to write a little executable that >> only execvp's bash (or whatever shell you use), grant that executable >> CAP_NET_RAW, and then set it as default shell with usermod. > > I thought about that, but that seems fragile. > I supposed I could set the capability on /bin/bash with +p instead of > +ep, then it should only take effect for users who have the capability > enabled (though I haven't been able to get that to work yet). I think the problem is that you want to use capabilities in a way that they are not designed for: you don't set capabilities at development time, you do it at deployment time. I would develop in a container or a VM until the program is ready and then deploy it with capabilities enabled. Regards. -- Canek Peláez Valdés Posgrado en Ciencia e Ingeniería de la Computación Universidad Nacional Autónoma de México ^ permalink raw reply [flat|nested] 6+ messages in thread
* [gentoo-user] Re: How to grant a CAP_NET_RAW capability to user? 2013-12-10 19:40 ` Canek Peláez Valdés @ 2013-12-10 20:07 ` Grant Edwards 0 siblings, 0 replies; 6+ messages in thread From: Grant Edwards @ 2013-12-10 20:07 UTC (permalink / raw To: gentoo-user On 2013-12-10, Canek Pel??ez Vald??s <caneko@gmail.com> wrote: >> But the example provided only shows how to grant capabilities to a >> user that can then be inherited by files which must also have that >> same capability enabled. That's not quite what I want to do (and it >> doesn't seem to work). > > The restriction to files already having the capability is for security > reasons, obviously: if a user has certain capability, and she forgets > to change the others access to some executable, then anyone has the > capability (if I understand correctly). No, that's not how it works. You can use pam_cap to grant an inheritable capability to a user, but it can only be used by files that also have the capability to inherit that capability. There are basically two ways you can set a capability on a file: the file can have the capability regardless of the user, or the file can have the capability only if it can be inherited from the user. If you grant a capability to a file using "setcap cap_whatever+ei myprog" then it's only effective for users that also have cap_whatever enabled in /etc/security/capability.conf If you grant a capability to a file using "setcap cap_whatever+ep", then it's available to all users. > Again, create an executable with CAP_SETPCAP that executes the Python > programs and sets the capabilities for the running program. [...] > You can create (once) an executable with CAP_SETFCAP, which your > build system calls automatically every time you recompile and that > sets the CAP_NET_RAW capability for the resulting executable. Not > very secure anyway, but I think it could work. It's a lot simpler to just continue using sudo to run the programs. >>> A workaround for what you want is to write a little executable that >>> only execvp's bash (or whatever shell you use), grant that executable >>> CAP_NET_RAW, and then set it as default shell with usermod. >> >> I thought about that, but that seems fragile. That wouldn't help. I've figured out how to give bash CAP_NET_RAW capabilities for a specified user, but it still requires that executables have the same capability set. >> I supposed I could set the capability on /bin/bash with +p instead of >> +ep, then it should only take effect for users who have the capability >> enabled (though I haven't been able to get that to work yet). That doesn't work either. Bash gets the privledges in question but they aren't inherited by programs invoked by bash unless they have already had those capabilities set. > I think the problem is that you want to use capabilities in a way that > they are not designed for: Apparently so. > you don't set capabilities at development time, you do it at > deployment time. I would develop in a container or a VM until the > program is ready and then deploy it with capabilities enabled. No, that's not the problem. The problem is that the whole system is designed to assign capabilities to _files_, and I want to assign a capablity to a user. -- Grant Edwards grant.b.edwards Yow! BELA LUGOSI is my at co-pilot ... gmail.com ^ permalink raw reply [flat|nested] 6+ messages in thread
* [gentoo-user] Re: How to grant a CAP_NET_RAW capability to user? 2013-12-10 18:16 [gentoo-user] How to grant a CAP_NET_RAW capability to user? Grant Edwards 2013-12-10 18:39 ` Canek Peláez Valdés @ 2013-12-10 19:39 ` Grant Edwards 1 sibling, 0 replies; 6+ messages in thread From: Grant Edwards @ 2013-12-10 19:39 UTC (permalink / raw To: gentoo-user On 2013-12-10, Grant Edwards <grant.b.edwards@gmail.com> wrote: > How do you grant a capability (e.g. CAP_NET_RAW) to a user? After more googling, I found this page which describes exactly what I'm trying to do: https://github.com/constanze/GSoC2010_Gentoo_Capabilities/wiki/pam_cap-on-gentoo Except it doesn't work: after modifying /etc/pam.d/system-auth and /etc/security/capability.conf as indicated and logging out/in, pscap shows no cap_net_raw for the user in question, and trying to run programs that use RAW sockets fail: socket: Operation not permitted Error opening socket: Operation not permitted I'm apparently missing something... -- Grant Edwards grant.b.edwards Yow! Sign my PETITION. at gmail.com ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2013-12-10 20:08 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-12-10 18:16 [gentoo-user] How to grant a CAP_NET_RAW capability to user? Grant Edwards 2013-12-10 18:39 ` Canek Peláez Valdés 2013-12-10 18:56 ` [gentoo-user] " Grant Edwards 2013-12-10 19:40 ` Canek Peláez Valdés 2013-12-10 20:07 ` Grant Edwards 2013-12-10 19:39 ` Grant Edwards
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox