Stack Overflow
Stack Overflow

Questions tagged [linux-capabilities]

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero).

Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

174 questions
0
votes
1 answer

CAP_NET_ADMIN equivalent for *BSD

I'm contributing to a routing daemon, and investigating security measures. The daemon, when running, talks to the kernel and installs routes. On Linux, as a good practice, if the daemon is launched as root (and properly configured) it will quickly…
Antonin Décimo
  • 499
  • 3
  • 17
0
votes
1 answer

Copy a file without removing the destination capabilities

I have a binary foo, generated from C++ code, which has special capabilities set on it with: sudo setcap cap_sys_rawio=ep ./foo Now I want to build another version of this binary, and the output of the build (the new binary) goes into a file named…
BeeOnRope
  • 60,350
  • 16
  • 207
  • 386
0
votes
1 answer

Which process/thread capabilities sets will be changed during clone(2), unshare(2), and setns(2)?

The man page for user_namespaces(7) says: The child process created by clone(2) with the CLONE_NEWUSER flag starts out with a complete set of capabilities in the new user namespace. Likewise, a process that creates a new user namespace using…
TheDiveO
  • 2,183
  • 2
  • 19
  • 38
0
votes
1 answer

What capabilities required for ioctl() on emmc on systemd?

I want to run my program with systemd with a regular user ( non-root). This program uses ioctl() syscall to access emmc registers.I want to learn which capabilities required to be added to my systemd unit file. I tried with below unit…
Sertac TULLUK
  • 79
  • 1
  • 8
0
votes
0 answers

How to use perf_evt_open to get seperate process's info

I've been trying to sample ptrace events from C. The following is my code to get a file handle on perf: pid_t pid; uint64_t next_offset=0; if(argc != 2) { fprintf(stderr,"please provide PID"); exit(EXIT_FAILURE); } …
ACCurrent
  • 385
  • 5
  • 12
0
votes
1 answer

A DaemonSet for kubernetes works fine while in privileged mode, but fails even if all linux capabilties are added

I have a Daemonset running in privileged mode in a kubernetes cluster. This is the YAML spec of the daemon set. apiVersion: extensions/v1beta1 kind: DaemonSet metadata: name: my-daemon spec: template: metadata: labels: app:…
Akhil Mohan
  • 105
  • 2
  • 11
0
votes
1 answer

Change permission of file owned by root-user without using sudo

I have a file owned by "root" and script owned by "non-root" user. I'm trying to change permission of "root" owned file using "non-root" script and getting below error: $ cat root_file echo "HELLO WORLD" $ cat non_root_script chmod 777…
Manipal Singh
  • 9
  • 3
0
votes
0 answers

Get "Operation not permitted" when I run "ping" in a new user namespace

I create a new process and new user namespace like this: clone(run, stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, NULL); and run ping in new process, but I got an error: Operation not permitted. Here is my code: #define _GNU_SOURCE #include…
solomon_wzs
  • 1,711
  • 5
  • 16
  • 29
0
votes
1 answer

Segmentation fault when executing binary in runc container

I'm having a particular issue with a runc container. I have a bash script (running as root) that's executing the following: $ setcap cap_net_bind_service=+ep ${PACKAGE_DIR}/bin/my-binary $ chpst -u vcap:vcap "${PACKAGE_DIR}/bin/my-binary" --config…
mango
  • 5,577
  • 4
  • 29
  • 41
0
votes
1 answer

Linux: setting process priority AND dynamically loading libraries

I have a linux application which loads *.so libraries using a modified rpath (set during installation). It also needs to run with realtime priority. To get realtime priority it does this: sched_param sched; sched.sched_priority =…
Stewart
  • 4,356
  • 2
  • 27
  • 59
0
votes
1 answer

Do Linux capabilities partition the possible privileged operations?

More precisely, are there any operations for which more than one capability could be used to give a process the necessary permissions?
dippynark
  • 2,743
  • 20
  • 58
0
votes
1 answer

Run ifup and ifdown with sudo using linux capability

I want to run ifup eth0 and ifdown eth0 without sudo by using Linux capabilitiesFor the same issue I have written code for the same main.c int main{ FILE ,*fp; fp = popen("ifdown eth0","r"); if(fp==NULL) { printf("popen…
indrajeet
  • 16
  • 1
0
votes
1 answer

Yocto getcap: command not found

I'm updating our yocto from fido to morty, and have been migrating recipes and such to work with it, but now I dont have getcap on the target. I checked that PATH is correctly set up: echo $PATH /usr/sbin:/usr/bin... and that there is no getcap in…
Ou Tsei
  • 470
  • 7
  • 24
0
votes
1 answer

What capabilities does systemd daemon require to create cgroups?

In my project I need sometimes to be able to create new control groups as an unprivileged user. I decided to write a systemd daemon for this. I use libcgroup in the daemon code for cgroup manipulation. When I try to create a cgroup…
Vasiliy
  • 1
  • 1
0
votes
1 answer

Where the node capabilities are stored in kubernetes

My questions related to kubernetes resource management: How Kubernetes master collects all his nodes resource capabilities and then use those capabilities to schedule Pods as per there requirement and resource availability?. Where the capabilities…
Rajendra
  • 373
  • 1
  • 2
  • 18
1 2 3
11
12