Stack Overflow
Stack Overflow

Questions tagged [linux-capabilities]

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero).

Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

174 questions
5
votes
1 answer

How unshare makes possible to use chroot without real root?

chroot needs CAP_SYS_CHROOT according to the manual. The unshare command uses chroot. The command unshare -UrR newroot/ will work without being run as root, which makes sense since the -r flag makes us root inside the namespace, giving us the…
Vitor Falcão
  • 1,007
  • 1
  • 7
  • 18
5
votes
2 answers

Why is requiring that all capabilities be dropped in a Kubernetes PodSecurityPolicy redundant with non-root + disallow privilege escalation?

The second example policy from the PodSecurityPolicy documentation consists of the following PodSecurityPolicy snippet ... spec: privileged: false # Required to prevent escalations to root. allowPrivilegeEscalation: false # This is redundant…
dippynark
  • 2,743
  • 20
  • 58
5
votes
1 answer

Setting Linux Capabilities in Yocto ext4 Image

I intend to set some capabilities on binaries included in a Yocto image using "setcap". For some reason the solutions mentioned here did not work for me: Linux capabilities with yocto . I have checked that by running "getcap" on my binary within the…
Rogue
  • 73
  • 1
  • 7
5
votes
1 answer

Which capabilities are needed for statx to stop giving EPERM

I have a Qt project that uses a plugin interface which compiles fine on my system. However, when the same project is compiled inside docker it stopped working with Qt 5.10.1, giving the messageError: Undefined interface. After some straceing the moc…
Nobody moving away from SE
  • 9,347
  • 3
  • 45
  • 92
5
votes
2 answers

Linux capabilities with yocto

I want to give several files Linux capabilities (e.g. CAP_NET_ADMIN). I am using Yocto and my file system should be read-only and must not be changed after flashing the software (this means pkg_postinst with setcap that would usually work is not…
Quizard
  • 71
  • 1
  • 5
5
votes
2 answers

setuid(0) with CAP_SETUID

I am trying to change my uid to 0 as non-root with the CAP_SETUID capability. I have the following program: #include #include #include #include #include int main(int argc, char…
Fabian
  • 797
  • 1
  • 5
  • 19
5
votes
2 answers

How do I use the PAM capabilities module to grant capabilities to a particular user and executable?

I'm attempting to make a program which uses raw sockets run correctly as non-root with Linux capabilities. The program is as follows: #include int main() { int sd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP); if(sd < 0) { …
heath
  • 107
  • 1
  • 5
5
votes
1 answer

Using capsh to drop all capabilities

I'm trying to use capsh to grant myself a shell with no capabilities at all with a certain user. This is so I can test security stuff related to being non-root but with only certain capabilities. Basically I'd like to get a shell running with…
David
  • 3,324
  • 2
  • 27
  • 31
5
votes
2 answers

losing capabilities after setuid()

Trying to set cap_setgid,cap_setuid,cap_setpcap. #include #include int main() { cap_t caps; caps = cap_get_proc(); cap_value_t cap_list[2]; cap_list[0] = CAP_SETUID; cap_list[1] = CAP_SETGID; …
Dmitry Fedorov
  • 53
  • 1
  • 4
4
votes
1 answer

Use capabilities to open privileged ports without being root

I'm trying to open privileged ports (as an example to use libcap) without being root. This is my code: // http_capabilities.cpp #include #ifdef CLIENT #include #include #include #include…
DDS
  • 2,340
  • 16
  • 34
4
votes
0 answers

CAP_NET_ADMIN causes SSL to break in rust binary

I am working on a rust networking application. And I download a package from gcloud storage (using an https://... URL). I will eventually need the capabilities CAP_NET_ADMIN and CAP_NET_RAW. This is my rust program: pub fn…
Shriphani Palakodety
  • 41
  • 1
4
votes
3 answers

Checking for Linux capabilities to set thread priority

I have a C++ application that uses pthread_setschedparam() to set thread priority. Inside a docker container this fails with EPERM. How can I detect if my process has the necessary capabilities to set thread priority ?
Gene Vincent
  • 5,237
  • 9
  • 50
  • 86
4
votes
1 answer

Why is CapEff all zeros in /proc/$PID/status

I removed the setuid bit from the ping binary and added cap_net_raw+p instead as follows: $ chmod 755 /bin/ping $ setcap cap_net_raw+p /bin/ping Then I ran ping in one terminal and checked the /proc/$PID/status of the running process from…
el_tigro
  • 1,099
  • 2
  • 10
  • 22
4
votes
2 answers

Launching perf from bash script with CAP_SYS_ADMIN and CAP_IPC_LOCK capabilities

I want to exploit capabilities to run some tests with perf, without running commands as root and without tweaking /proc/sys/kernel/perf_event_paranoid. Some error messages of perf says: You may not have permission to collect stats. Consider tweaking…
fusiled
  • 199
  • 2
  • 10
4
votes
0 answers

Reduce SYS_ADMIN Linux capabilities

I am creating a Docker container for which I do not wan to keep 'privileged' flag true. This is in attempt to keep it more secure and for better control. My container mainly engaged in following tasks (this will help me define it's resource access…
Korba
  • 435
  • 1
  • 4
  • 18
1 2
3
11 12