Stack Overflow
Stack Overflow

Questions tagged [linux-capabilities]

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero).

Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

174 questions
2
votes
1 answer

assigning linux capability to one java process

I run many java processes but I just want to assign cap_net_raw linux capability to just one java process. Currently if I do this "setcap cap_net_raw=ep /usr/java/default/bin/java" then this capability get assigned to all java processes. After…
Santi
  • 67
  • 7
2
votes
3 answers

Unable to get CAP_CHOWN and CAP_DAC_OVERRIDE working for regular user

My requirement My python server runs as a regular user on RHEL But it needs to create files/directories at places it doesn't have access to. Also needs to do chown those files with random UID/GID My approach Trying this in capability-only…
mittal
  • 915
  • 10
  • 29
2
votes
1 answer

linux capabilities - iptables as child process

I have a process that fork-execlp "iptables-restore file.rules". It looks like it doesn't have the permission since I don't see some of the rules not listed like INPUT DROP after the process executes. When I run this process as a root, it seems to…
resultsway
  • 12,299
  • 7
  • 36
  • 43
2
votes
0 answers

Autoconf, setcap and checkinstall

I have an autoconf project that contains a post-install hook like this: install-exec-hook: setcap cap_net_raw+ep $(bindir)/myexecutable I use checkinstall to package it up and install it on my local system, however after checkinstall is done,…
brooks94
  • 3,836
  • 4
  • 30
  • 57
1
vote
1 answer

Unable to drop all capabilities but CAP_SETUID

I am strace-ing a process that fails over a call to capset. To make sure that the process has the correct capabilities I added a capget just before the capset. The result of strace is now: [pid 27909] capget( …
Siscia
  • 1,421
  • 1
  • 12
  • 29
1
vote
0 answers

Setting cap_net_bind_service=+ep flag to Java executable changes Tomcat GC logging verbosity in IntelliJ

I am running a Spring Boot 2.7 application on Java 11. Spring Boot 2.7 is using embedded Tomcat 9.0 internally. To troubleshoot a unrelated problem I set the CAP_NET_BIND_SERVICE capability of the Java executable to +ep (effective, permitted) in the…
simon
  • 12,666
  • 26
  • 78
  • 113
1
vote
1 answer

SetCap with NFS

I am working on a project that requires using raw_sockets and raw sockets to work needs CAP_NET_RAW we used setcap and it worked fine, now the executable is on NFS, and nw setcap can’t be used is their a work around? Thanks in advance I tried chown…
Mostafa Ramadan
  • 11
  • 1
1
vote
0 answers

Is there any way to replace --privileged with --security-opt and --cap-add in docker?

I want to run a specific container(k3s) need privileged mode in a windows docker with(lcow feature), but windows do not support --privileged. so Is there any way to replace it with --security-opt and --cap-add?
bangzhuzhu
  • 11
  • 2
1
vote
1 answer

Which Linux capability to use to properly run "sysctl -w net.ipv4.conf.tun0.route_localnet=1" in a Docker container?

I'm using an OpenVPN server in a Docker container for multiple client connections. This container is located in a specific Docker network in which I have a web server as client target. I want to publish the host name of my web server to clients so…
jbaptperez
  • 656
  • 6
  • 20
1
vote
0 answers

seccomp and apparmor vs in-container root user

I'm trying to build Docker images without a privileged builder, therefore DinD is not an option. I found now two ways of achieving that with either kaniko or img. Both of them work in my local Docker setup and achieve that goal: docker run --rm -it…
cmdjulian
  • 123
  • 1
  • 1
  • 6
1
vote
0 answers

How to add docker run --cap-add SYS_BOOT --cap-add SYS_ADMIN to the Dockerfile itself?

https://github.com/darkdragon-001/Dockerfile-Ubuntu-Gnome This is the command which is adding capabilities to the docker run command of the ubuntu gnome container. I want this --cap-add to be automated rather than typing in the command manually each…
Nipun Sharma
  • 11
  • 3
1
vote
1 answer

Linux capabilities to launch process as root from a user mode program in C++

I am trying to launch a child-process as root from a non-root parent-process. I am thinking to use capabilities to make that work. What I have tried so far is that, have set the file cap permitted for parent process to…
kishoredbn
  • 2,007
  • 4
  • 28
  • 47
1
vote
1 answer

[Linux Difference between SUID and cap_setuid of binary]

"I dont understand difference between SUID of binary and cap_setuid in linux.Then, difference between SUID and setuid"
kaiharvez
  • 11
  • 1
1
vote
0 answers

Systemd services with private networking fail when run in nspawn container

I'm running a systemd nspawn container, and noticed that many of the built-in systemd services are in a failing state. Investigating, I've found that the failed services are all using PrivateNetwork=yes. Looking at the service's logs, it appears the…
Michael
  • 462
  • 1
  • 6
  • 18
1
vote
1 answer

Linux process capabilities empty despite executable has them set

I have a wrapper program, which is used only to add CAP_NET_RAW capability to a nodejs script. The binary has set capabilities to cap_net_raw+eip, but the process does not get them and setting them causes EPERM (Operation not permitted). The wrapper…
trogper
  • 1,516
  • 1
  • 12
  • 14
1 2 3
11 12