Questions tagged [linux-capabilities]

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero).

Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

174 questions

votes

1 answer

docker dropping capabilities not working as expected?

From this docker doc page - https://docs.docker.com/engine/security/#linux-kernel-capabilities Processes (like web servers) that just need to bind on a port below 1024 do not need to run as root: they can just be granted…

docker linux-capabilities

asked Nov 14 '21 at 13:28

samshers

votes

2 answers

What capabilities can open /proc/pid/ns/net?

setcap cap_net_raw,cap_net_admin,cap_sys_admin,cap_dac_override,cap_dac_read_search,cap_fowner+eip I want a process running by normal user, switch to another process's netns, another process is running by root user. What I need to do is to open…

linux-capabilities

asked Mar 15 '21 at 04:31

Mr Pang

1,083
1
8
20

votes

1 answer

Does a process that have the root user always have all of the capabilities available in Linux?

In Linux, a process that have a non-root user can have some capabilities assigned to it to increase its privileges. And a process that have the root user have all of the capabilities available, but can such a process have some of its capabilities…

linux linux-capabilities

asked Feb 19 '19 at 06:04

John

1,049
1
14
34

votes

1 answer

Java "symbol lookup error" for JLI_InitArgProcessing when running with setcap capabilities

We installed Java 11 on a server that is meant to monitor a network interface for traffic. After the initial installation (yum install java-11-openjdk-devel.x86_64) the java command works properly for both root and a regular user. However, our Java…

java unix permissions packet-capture linux-capabilities

asked Dec 07 '18 at 19:12

Craig Otis

31,257
32
136
234

votes

2 answers

How do i map linux system calls to capabilities

I want to run a container in un-privileged mode.This is in attempt to keep it more secure and for better control.I recorded few system calls from my container . Below are the…

docker system-calls linux-capabilities

asked Sep 26 '18 at 09:07

Dasthananda Dassu

votes

1 answer

Running nobody (or dynamic user) with CAP_NET_RAW in systemd

I want to run service with cap_net_raw capabilities but with no any interaction with filesystem and/or other processes. My program will use raw sockets and normal sockets (for API), stdout/err for logging and that's all. I want to write…

networking systemd linux-capabilities

asked Dec 18 '17 at 15:22

George Shuklin

6,952
10
39
80

votes

1 answer

Cannot open uid_map for writing from an app with cap_setuid capability set

While toying around with an example from user_namespaces(7), I've come across a strange behaviour. What the application does The application user-ns-ex calls clone(2) with CLONE_NEWUSER, thus creating a new process in a new user namespace. The…

linux procfs linux-namespaces linux-capabilities

asked Nov 14 '17 at 22:37

Arks

votes

1 answer

pthread_setname_np() when capabilities are set

I compiled the example program from man pthread_setname_np with g++ -pthread example.cpp And I set the cap_net_raw capability of my program a.out. sudo setcap 'cap_net_raw=+eip' a.out Surprisingly the program fails when…

c linux pthreads privileges linux-capabilities

asked Aug 02 '17 at 16:07

gees

votes

2 answers

Test for linux CAP_FOWNER capability in C?

Before invoking chmod() on a directory, if the caller does not own the directory, I would like to test that the caller has the CAP_FOWNER capability. From searching, it seems that I should be able to test for the CAP_FOWNER capability by calling…

c linux linux-capabilities

asked Apr 25 '17 at 01:10

Eric Westbrook

votes

2 answers

Use Linux setcap command to set capabilities during Yocto build

I'm using Yocto 1.8 to build a linux system. I need to use the command "setcap" to set files capabilities during build, which is introduced via libcap package recipe:…

linux embedded-linux yocto openembedded linux-capabilities

asked Apr 18 '17 at 15:50

shatrix

votes

2 answers

Side effects of allowing a container to listen on port 80

To simplify service port management between Docker containers I would like to allow the contained HTTP services to listen on HTTP's default TCP port 80 of their respective container's IP address. Listening to port numbers below 1025 is classically…

linux docker containers linux-namespaces linux-capabilities

asked Mar 16 '17 at 09:50

aef

4,498
7
26
44

votes

0 answers

Setting capabilities to Anaconda's python executable

I've switched to Anaconda recently, but have encountered an issue. My python code uses a C++ shared library which receives raw frames from an interface. To do this, root permissions are generally required. So as not to use sudo for each execution, I…

python anaconda linux-capabilities

asked Feb 22 '17 at 20:28

lessju

votes

1 answer

Read /proc//fd/ without full root access

I have a program (https://github.com/raboof/connbeat) that relies on /proc/[pid]/fd/* to find processes given a (networking) inode. /proc/[pid]/fd can only be read by root, but I'd like to drop privileges as much as possible for security. Is there…

linux security linux-kernel root linux-capabilities

asked Jan 13 '17 at 10:04

Arnout Engelen

6,709
1
25
36

votes

1 answer

How to raise ulimit hard limit for real time priority programmatically with setuid or capability CAP_SYS_RESOURCE?

I would like to run a program under the linux SCHED_FIFO real-time class. I would prefer to keep the user's hard limit for RTPRIO set to 0, and to programmatically raise the hard limit just for the single process. It is broadly claimed that if I…

ulimit linux-capabilities

asked Nov 28 '16 at 04:26

JimD.

2,323
1
13
19

votes

1 answer

CentOS as a Docker host causes different container behavior compared to any other host OS

I am working with Docker on different Hosts : RHEL7 , SELS12 and CentOS7, And i found a different behavior in containers which running on CentOS7 as Docker Host, comparing to containers which running on SLES12 or RHEL7 as Docker hosts. The…

docker centos containers linux-capabilities

asked Jul 07 '16 at 11:43

Nessi

Prev 1 2 3

…

11 12 Next