Stack Overflow
Stack Overflow

Questions tagged [linux-capabilities]

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero).

Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

174 questions
3
votes
0 answers

Running process 'as root' with setuid bit not working as expected - operation not permitted?

I have a program that captures network traffic off a network interface. (It's a C program sitting on libpcap.) I'm running Fedora 26. When I run the program as root, things look great: [craig ~]$ sudo su - [root ~]$ /home/craig/mybinary (output is…
Craig Otis
  • 31,257
  • 32
  • 136
  • 234
3
votes
2 answers

getcap/setcap not working in docker container with Debian Stretch host

I've got a Debian Stretch host: root@jenkins-docker-01:~# lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 9.0 (stretch) Release: 9.0 Codename: stretch root@jenkins-docker-01:~# uname -a Linux…
Alex Gaynor
  • 14,353
  • 9
  • 63
  • 113
3
votes
2 answers

Script with cap_net_bind_service can't listen on port 80

I'm attempting to give a script the cap_net_bind_service Linux capability. However using setcap doesn't seem to be working. $ cat listen.sh #!/bin/bash python -m SimpleHTTPServer 80 $ getcap listen.sh listen.sh = $ sudo setcap…
eric chiang
  • 2,575
  • 2
  • 20
  • 23
3
votes
1 answer

problems setting Linux Capabilities using Python

I want to set the CAP_NET_ADMIN capability for a certain subprocess in my python application. I tried a lot to do so, but I didn't succeed as no example is available, that makes it understandable for me. What I did was that I installed…
Martin
  • 594
  • 1
  • 8
  • 32
3
votes
1 answer

Why does CAP_NET_RAW not work with SO_BINDTODEVICE?

I have the following simple test program to create a UDP socket and bind it to a specific interface with SO_BINDTODEVICE so I can then bind() it so INADDR_ANY to recieve UDP broadcasts specifically on that interface. //filename: bindtest.c #include…
TabascoEye
  • 656
  • 5
  • 24
3
votes
1 answer

Do Linux capabilities work with binfmt_misc?

I'm potentially interested in using Linux capabilities for a program (specifically, cap_net_bind_service to allow a program to bind to a TCP port less than 1024). However, I'd like to do it for a program that is C# running under Mono. Normally, I…
Craig McQueen
  • 41,871
  • 30
  • 130
  • 181
3
votes
0 answers

Linux: how to drop privileges uid, gid, capabilities, additional groups

Hi is this the correct sequence to drop privileges in a Linux process? I want this code to work both in case I am running as a privileged user (e.g. in production), or just using as the user itself (e.g. for testing). Input = username,…
Carl D'Halluin
  • 1,052
  • 10
  • 14
3
votes
2 answers

Open raw socket in Linux without setcap cap_net_raw

I want to open a raw socket in Linux (with Python) without giving Python the cap_net_raw capability. I want the user to have this capability, not the program. I am using Ubuntu 12.4.
yoni
  • 96
  • 1
  • 6
3
votes
1 answer

How Linux Capabilities relate to zero/non-zero UID?

The capabilities manpage is rather long and I do not fully understand some things. How would look, for example, a function that decides whether we have access to CAP_NET_RAW? Input: a = Effective uid is 0 b = There are some real/saved/whatever uid…
Vi.
  • 37,014
  • 18
  • 93
  • 148
3
votes
2 answers

stdbuf with setuid/capabilities

I am reading output from another process which generates output (slow and infinite). Because I want to read this data in real-time I use "stdbuf -oL" (line-buffered, data is text). I do not have control of the generating process so I cannot modify…
ext
  • 2,593
  • 4
  • 32
  • 45
2
votes
1 answer

Changing capabilities of the process

Are there any way that I could run application with a special capabilities? I'm trying to set capabilities with function "cap_set_flag()", by setting flag "SET_CLEAR", to all "CAP_INHERITABLE" capabilities but it doesn't work. Child application…
Ilya
  • 79
  • 7
2
votes
1 answer

Why can't you drop a capability from the bounding set without CAP_SETPCAP?

I have a Linux service that runs as a non-root user and holds a set of a few capabilities. When it starts, I want to fork off a child process. That child process should drop one of its capabilities (let's say CAP_DAC_OVERRIDE). The idea is that in…
C0deH4cker
  • 3,959
  • 1
  • 24
  • 35
2
votes
1 answer

running a container with runAsNonRoot and add capabilities

I was trying to run my pod as non root and also grant it some capabilities. This is my config: containers: - name: container-name securityContext: capabilities: add: ["SETUID", "SYS_TIME"] …
eladm26
  • 517
  • 4
  • 23
2
votes
1 answer

Allow non-root user of container to execute binaries that need capabilities

I need to run a container as non-root user by default. However a specific process inside this container needs to execute a binary that needs cap_net_admin capabilities (e.g: ip command). I tried running the container with '--privileged' flag,…
m.divya.mohan
  • 2,261
  • 4
  • 24
  • 34
2
votes
1 answer

How to properly assign cap_net_raw to a Python script

I have a Python script which periodically pings machines in the network by using aioping to do it. It requires raw socket access for the ICMP messages and one way to do this is to run the script as root, which I don't want to do. What I've resorted…
Daniel F
  • 13,684
  • 11
  • 87
  • 116
1 2 3
11 12