Stack Overflow
Stack Overflow

Questions tagged [linux-capabilities]

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero).

Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

174 questions
10
votes
4 answers

fork and execve to inherit unprivileged parent process' capabilities

In Linux system, an unprivileged user launches a program. The process created has the capabilities CAP_NET_RAW,CAP_NET_ADMIN with mode as effective,permitted,inheritable. This process then creates a child process by calling fork and execv to invoke…
Eswar
  • 201
  • 1
  • 3
  • 5
10
votes
1 answer

Making an RPM which sets POSIX files capabilities

How does one make an RPM which sets the POSIX capabilities of a file? If I try doing rpmbuild as a non-root user then I get an error when my makefile's install hooks try to run setcap, but if I don't run setcap how will rpmbuild copy the…
Matthew Cline
  • 2,312
  • 1
  • 19
  • 36
10
votes
2 answers

How to read file capabilities using Python?

On Linux systems root privileges can be granted more selectively than adding the setuid bit using file capabilities. See capabilities(7) for details. These are attributes of files and can be read using the getcap program. How can these attributes be…
Helmut Grohne
  • 6,578
  • 2
  • 31
  • 67
10
votes
2 answers

Drop root UID while retaining CAP_SYS_NICE

I'm trying to write a daemon that will start as root using a setuid bit, but then quickly revert to the user running the process. The daemon, however needs to retain the ability to set new threads to "realtime" priority. The code that I'm using to…
brooks94
  • 3,836
  • 4
  • 30
  • 57
9
votes
3 answers

ubuntu and libcap (capabilities) undefined reference

I'm trying to compile the following minimal C code on ubuntu 10.10: #include void main(void) { cap_t cap; cap = cap_get_proc(); } with gcc -lcap test.c which gives me the following error: /tmp/ccCQFyXS.o: In…
kuroneko
  • 425
  • 2
  • 4
  • 10
7
votes
0 answers

Run app inside docker container as non-root user with capabilities

I tried to run a simple python UDP echo-server listening on Port 507 inside a docker container that uses a non-root user. The Dockerfile looks like this: FROM docker.io/centos RUN yum -y install iputils iproute COPY echo-server.py /tmp/ USER…
fruetschi
  • 71
  • 4
7
votes
2 answers

Does using linux capabilities disable LD_PRELOAD

In my custom environment an interceptor library is preloaded which runs a special implementation of bind(), connect(), etc. calls. The problem I see is whenever an application is explicitly enabled capabilities using command setcap, executing the…
Sunil Bojanapally
  • 12,528
  • 4
  • 33
  • 46
7
votes
1 answer

Edit linux capabilities in Perl

In a C program, you can edit your capabilities with cap_set_proc from libcap. How can I achieve the same in a Perl program?
user49740
  • 383
  • 1
  • 11
6
votes
1 answer

Difference between `--privileged` and `--cap-add=all` in docker

Background: I am running a docker container which needs to load/remove a kernel module which makes USB devices attached to a remote server available on the host which I then want to make available in the container. It works when running the…
nfelger
  • 823
  • 9
  • 21
6
votes
1 answer

How to add capabilities to a native library but not to the executable running it?

Context I've done a java library that uses a C library with JNI. The C library is compiled in linux into a .so file. This library needs cap_net_raw capabilities. Goal Execute a java process without additional privileges, that uses said java library.…
Christophe Broeckx
  • 334
  • 2
  • 10
6
votes
2 answers

Is cap_dac_override a superset of cap_dac_read_search?

I'm working on limiting capabilities of an existing, complex application and I have been searching for a while for a credible source proving that permissions included in cap_dac_override are a superset of cap_dac_read_search. It seems logical that…
tomix86
  • 1,336
  • 2
  • 18
  • 29
6
votes
2 answers

File capabilities do not transfer to process once executed

I'm trying to write a program which requires elevated capabilities (rather than simply run it with sudo). However, none of the capabilities I set using setcap seem to transfer into the process once executed. This problem occurs across multiple…
Matt S
  • 483
  • 4
  • 13
6
votes
2 answers

Capabilities & Linux & Java

I am experimenting with Linux capabilities for java application. I do not want to add capabilities to interpreter (JVM), so I tried to write a simple wrapper (with debugging information printed to stdout): #include #include…
Marek Jelen
  • 794
  • 6
  • 7
6
votes
3 answers

How to execve a process, retaining capabilities in spite of missing filesystem-based capabilities?

I want to make system usable without setuid, file "+p" capabilities, and in general without things which are disabled when I set PR_SET_NO_NEW_PRIVS. With this approach (init sets PR_SET_NO_NEW_PRIVS and filesystem-based capability elevation no…
Vi.
  • 37,014
  • 18
  • 93
  • 148
5
votes
1 answer

In my Docker container, why can I still bind the port 1 without `NET_BIND_SERVICE` capability?

I'm using Ubuntu 18.04 Desktop. Here are more details about my question. Recently, I'm writing some test code that wants to do this: when it is run as a non-privileged user, the test code tries to bind a privileged port (port 1 in my case) and…
yaobin
  • 2,436
  • 5
  • 33
  • 54
1
2
3
11 12