Stack Overflow
Stack Overflow

Questions tagged [linux-capabilities]

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero).

Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

174 questions
1
vote
1 answer

Permission denied for mmap /dev/mem, even with CAP_SYS_RAWIO, but works as root

we have an x86 mainboard, which has some GPIOs that are accessible using MMIO (memory-mapped input/output). The I/O region is located at address 0xfd6d0680 and following (only one page). The program works fine when executed as root (with sudo). But…
Philipp Burch
  • 869
  • 1
  • 7
  • 16
1
vote
1 answer

why setuid fails after capset is used?

trying to figure out the linux capabilities interface, i came across with an unexpected issue (for me at least). When seting the capabilities of a process with the capset syscall the kernel rejects a change of userid with the setuid syscall. Does…
Lino Bossio
  • 103
  • 1
  • 8
1
vote
0 answers

Dropped Capability Not Removing Permissions

I have built a C++ binary and called setcap cap_net_raw,cap_setpcap+pe on it, granting the NET_RAW and SET_PCAP capabilities. I have verified these capabilities are present in the binary by successfully creating a socket(AF_PACKET, SOCK_RAW, ...).…
MooseBoys
  • 6,641
  • 1
  • 19
  • 43
1
vote
1 answer

Wireshark dumpcap with setcap set to no-root capture failes to start in Ubuntu 18.10

I have recompiled the latest version of Wireshark with prefix /my-path/bin/ and want to setup non-root capture of packets. However when I set setcap cap_net_raw,cap_net_admin=eip /my-path/bin/dumpcap then somehow dumpcap cannot be started anymore…
Konrad Eisele
  • 3,088
  • 20
  • 35
1
vote
2 answers

Setcap over SSHFS

I am running a VM on my machine and have mounted a host folder inside VM using sshfs (auto-mounted via fstab). abc@xyz:/home/machine/test on /home/vm/test type fuse.sshfs (rw,relatime,user_id=0,group_id=0,allow_other) That folder has an executable…
Abhishek Bansal
  • 31
  • 5
1
vote
0 answers

Does a process with CAP_NET_RAW set still run in user-space?

If I execute sudo setcap cap_net_raw+ep /path/prog and prog is a program which open a raw socket, can be prog still considered to run in user-space? How can I check it?
Maicake
  • 1,046
  • 10
  • 34
1
vote
1 answer

How to resolve "setsockopt(3, SOL_SOCKET, SO_MARK, [10], 4) = -1 EPERM" Operation denied for none root users

I got two network interfaces (ethernet and wlan). Now I found a little script on github (https://github.com/Intika-Linux-Firewall/App-Route-Jail) which seems to allow me to route specific applications through the none default gateway to loadbalance…
Dominik S.
  • 76
  • 1
  • 9
1
vote
1 answer

Can install4j be used to allow applications to bind to privileged ports?

Many operating systems require special treatment when an application wants to bind (listen for incoming data) on a "privileged" port (a port number under 1024). There are various methods to deal with this. Does install4j provide functionality that…
Guus
  • 2,986
  • 2
  • 21
  • 32
1
vote
0 answers

How gdb runs without capabilities?

I'm trying to understand why gdb is able to debug a process even if it runs without capabilities. My non-root user has the following configuration: $ /sbin/capsh --print Current: = Bounding set…
Alvin
  • 139
  • 6
1
vote
1 answer

Run gdb inside docker container running systemd

I was able to start a docker container running systemd using sudo docker run -it -p 8022:22 -e container=docker debug-image /sbin/init However, gdb was not able to debug C processes in this environment, because it lacked the required SYS_PTRACE…
Robin Green
  • 32,079
  • 16
  • 104
  • 187
1
vote
1 answer

How I could make a Linux OS for a CPU that I designed?

Background information on the architecture: I just designed a set of instructions for a CPU that I'm going to put in an FPGA, but I want to be able to do it compatible with Linux (a simple Linux system) but I just started with this and I do not know…
Bybit360
  • 166
  • 3
  • 11
1
vote
1 answer

Using setcap on /usr/bin/python2.7 does not provide subtask with rights

I(We) am(are) using python to create packets and capture reply to test a network-device. To give python capabilities I have used: sudo setcap cap_net_admin,cap_net_raw+eip /usr/bin/python2.7 When I check the capabilities the settings look…
John Doe
  • 11
  • 2
1
vote
0 answers

Changing namespace to obtain capabilities

I have code that calls functions that require CAP_NET_ADMIN capabilities. If I build my code and run the binary as-is, I get a "RTNETLINK answers: Operation not permitted" error. If I sudo run it, then it runs without the error. Can I change the…
user1118764
  • 9,255
  • 18
  • 61
  • 113
1
vote
2 answers

privileged docker container cannot drop capabilities?

I'm running this docker run --rm --name mydocker --privileged \ -v /sys:/sys:ro \ -v /dev:/dev \ --stop-signal=SIGRTMIN+3 \ -p 8080:8080 \ -p 5005:5005 \ -p 8443:8443 \ --net=host \ --cap-drop=SYS_BOOT \ …
n-alexander
  • 14,663
  • 12
  • 42
  • 43
1
vote
2 answers

What is init_user namespace in Linux?

While browsing Linux kernel code, I found the following two functions in kernel/capability.c. 1) bool has_capability(struct task_struct *t, int cap) /*Does a task have a capability in init_user_ns.*/ 2) bool has_ns_capability(struct task_struct…
Sahil Singh
  • 3,352
  • 39
  • 62
1 2 3
11 12