Questions tagged [linux-capabilities]

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero).

Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

174 questions

votes

1 answer

linux perf: how to enable perf permission for specific users?

How to setup perf permission for specific user? (kernel.perf_event_paranoid is not an option because it is global) Kernel documentation is unclear or…

asked Dec 16 '22 at 15:58

user2771324

votes

1 answer

gitea setcap setcap cap_net_bind_service=+ep notworking in podman

I want to use gitea via docker, but don't want to set up a reverse proxy as it is a minimal setup. To enable the default, non-root user git in the gitea:latest docker-image to bind to port 80 and 443, followed the idea of this answer and created by…

port podman linux-capabilities gitea

asked Nov 05 '22 at 11:35

Alias42

votes

1 answer

Linux capabilities for container to update file atime programmatically

I have a container running as non-privileged mode. I'd like to update file atime via python code for some reason but found I could not do that due to permission issue, even though I can write to that file. I tried to add linux capabilities to the…

containers linux-capabilities

asked Oct 27 '22 at 08:03

Alan Cheng

votes

0 answers

Is it possible to preserve capabilities using tar while skipping old files?

So I want to use tar to preserve capabilities of files and to skip existing files if they are the same. I know there are specific flags for both preserving capabilities and skipping old files, but if I use them like this: sudo tar --skip-old-files…

linux parameters command tar linux-capabilities

asked Oct 25 '22 at 15:18

whokilledann

votes

0 answers

How to run Intellij with CAP_SYSLOG?

To enable profiling, intellij needs access to elevated kernel capabilities. It shows a dialog asking to open those features on the entire system. I'm trying to restrict the damage to the intellij process only one item is kptr_restrict, which i can…

linux-kernel linux-capabilities

asked Aug 12 '22 at 03:54

gabriel

votes

0 answers

Want to mount inside docker using capabilities (SYS_ADMIN)

I want to use mount command inside docker (kubernetes). It is not allowed to make mount option when building, start running docker container. I didn't wanted to give privilege permission, so I added capabilites (SYS_ADMIN and MKNOD). but AppArmor…

docker mount linux-capabilities apparmor

asked Jul 22 '22 at 05:46

Kyroo0

votes

1 answer

Difference between privileged and capabilities

I am trying to authorize a Kubernetes pod with Capability in securityContext. Set capabilities for a Container I followed this document to check /proc/1/status and find some information about pods. But I found that "inside pod, it seems that…

docker kubernetes privileges linux-capabilities

asked Jul 19 '22 at 05:22

Kyroo0

votes

1 answer

Trying to perform setcap from Qt program

I'm trying to perform setcap from Qt program this way: QProcess process; QString command = "cat"; QStringList args; args << _fileName; process.start(command, args); process.waitForFinished(); QString StdOut =…

linux qt linux-capabilities

asked Apr 28 '22 at 07:57

Ekaterina

votes

1 answer

How do I get CAP_PERFMON to work in docker?

I need to deploy some docker containers that need to be sandboxed and need access performance counters. It seems like CAP_PERFMON is exactly what I need. However, installing with the nightly channel (or any of the other channels) using the latest…

docker perf linux-capabilities

asked Jan 05 '22 at 20:43

MemoryWrangler

votes

1 answer

Unable to run docker container which has CPP code pthread_setschedparam()

I have a docker container, which has CPP code in it. void SetRealtimeThreadPriority() { sched_param const param{ThreadPriorities::Priority()}; int result = pthread_setschedparam(pthread_self(), ThreadPriorities::Policy(), ¶m); …

c++ docker ubuntu-16.04 thread-priority linux-capabilities

asked Aug 26 '21 at 11:03

Brgv

votes

2 answers

Request Linux Capabilities During Runtime

I am developing a program in C that requires temporary use of some capabilities that require elevation to acquire and would rather not just have users issue sudo because it will be one time setup. How would I go about granting capabilities such as…

c linux linux-capabilities

asked Jun 24 '21 at 19:34

gudenau

votes

2 answers

How do I add Linux capabilities SYS_NICE and DAC_READ_SEARCH to container in AWS Fargate?

I'm trying to setup a task definition in ECS Fargate for running Koha containers but Fargate won't accept --cap-add=SYS_NICE --cap-add=DAC_READ_SEARCH (or any other kernel capabilities except for SYS_PTRACE) in the task definition json file. I tried…

aws-fargate linux-capabilities ecs-taskdefinition

asked Dec 02 '20 at 21:10

grandmaestr

votes

1 answer

AppArmor: How to block pid=host container with CAP_SYS_ADMIN/CAP_SYS_CHROOT from reading (some) host files?

Given is a container that has pid=host (so it is in the initial PID namespace and has a full view on all processes). This container (rather, its process) additionally has the capabilities CAP_SYS_ADMIN and CAP_SYS_CHROOT, so it can change mount…

linux-capabilities linux-namespaces apparmor

asked Aug 19 '20 at 14:58

TheDiveO

2,183
2
19
38

votes

1 answer

Netstat in docker does not show PIDs for processes started as a different user

I am running a network server under the jamq user in Docker. [root@12af450e8259 /]# su jamq -c '/opt/jboss-amq-7-i0/bin/artemis-service start' Starting artemis-service artemis-service is now running (25) I am then trying to list processes and their…

docker netstat linux-capabilities

asked Apr 03 '20 at 14:27

user7610

25,267
15
124
150

votes

1 answer

Why is cap_net_bind_service not working in this nginx nested Docker container?

The nginx ingress controller for Kubernetes uses the cap_net_bind_service capability, which is a Linux filesystem attribute, to obtain the permissions to open a privileged port (port 80). However, I have a kind test which creates a local Kubernetes…

docker kubernetes linux-capabilities kind

asked Mar 20 '20 at 18:29

Robin Green

32,079
16
104
187

Prev 1 2 3

…

11 12 Next