Stack Overflow
Stack Overflow

Questions tagged [linux-capabilities]

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero).

Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

174 questions
1
vote
0 answers

error while setting file capabilities in Docker

I'm trying to set the setfcap capability within a docker image. When I try to run the command setcap cap_setfcap=eip /usr/sbin/setcap, I get the following error: Failed to set capabilities on file '/usr/sbin/setcap' (Invalid argument)
cedrajin21
  • 65
  • 1
  • 8
1
vote
2 answers

How do I grant the mlock syscall to a container invoked via "sudo rkt run" on CoreOs

Running my app as below: sudo rkt run --insecure-options=image --interactive --net=host ./myapp.aci I get the message: Failed to lock memory: cannot allocate memory Which after some digging would seem to indicate that the container does not have…
Benjamin
  • 1,221
  • 11
  • 28
1
vote
2 answers

Is there any security benefit gained by fork()ing after dropping (root) privileges?

Especially in the Linux/POSIX world, daemons that need some root capabilities for temporary initialization purposes only (e.g., to read a root-owned private key file, or to open a port<1024, or to increase resource limits), often seem to follow a…
Will
  • 2,014
  • 2
  • 19
  • 42
1
vote
1 answer

Linux Cap_Kill Help Needed

A school assignment requires demonstrating the use of the cap_kill capability. To my understanding, this capability is supposed to allow a given program to send any signal to any process and be successful. I've used the following line: setcap…
Sethypie
  • 549
  • 6
  • 21
1
vote
1 answer

Is it possible to export the raw text password in Linux when the user is logging in?

I was just wondering, is it possible to export the raw text password into a file using echo "$password" >> /home/user/Desktop/file name. I know that the password is validated against the shadow file by pam_unix.so. Can the username and password…
Gaj
  • 150
  • 2
  • 15
1
vote
0 answers

What Linux capability to use with popen call and smartctl command line?

I have this test code to use the smartctl command. It opens a pipe using popen to get the output of this smartctl command. #include #include #include using namespace std; int main() { cout << "Hello ! " << endl; …
3bdalla
  • 407
  • 1
  • 10
  • 28
1
vote
1 answer

Get the file capabilities of a file in Linux Android

I am wondering how it's possible to get the granted capabilities for a file on the Android file system. libcap is not available for me, therefore, I can't use its functionalities to fetch this. Is there any other option?
fashasha
  • 481
  • 2
  • 7
  • 19
1
vote
0 answers

Set some capabilities in linux process then drop superuser privileges?

In a C program, I have to deal with RLIMIT_NPROC and RLIMIT_NOFILE limits and additionally bind to a port less than 1024. I am thinking to run this under an unprivileged user since my program needs only two capabilities. I saw here that I can set…
Akaks
  • 461
  • 3
  • 21
1
vote
1 answer

capset fails with pointer to struct

I have two code samples: First, runs correctly: #include #include #include int main() { __user_cap_header_struct *hdr = new __user_cap_header_struct; __user_cap_data_struct *data = new…
aviit
  • 1,957
  • 1
  • 27
  • 50
1
vote
1 answer

Linux capabilities over FUSE file system

I have a FUSE filesystem in which I coded the getxattr and setxattr like this: int mfs_setxattr(const char *path, const char *name, const char *value, size_t size, int flags) { ... /* some translation processing of path to rpath */ int ret =…
nsstl
  • 15
  • 5
1
vote
1 answer

How to add Linux capability for CAP_IPC_OWNER in limits.conf?

I have a /etc/security/limits.conf file as follows manu - memlock unlimited manu - rtprio 100 manu - nice 40 manu - stack unlimited Now I…
Manuel Selva
  • 18,554
  • 22
  • 89
  • 134
0
votes
2 answers

Network capabilities for Application

I am busy developing an application in C++ on a Linux computer. The application uses a 3rd party library that uses the Ethernet adapter and the network. The library is the library of a GigE Vision camera. On startup my application tries to connect…
CJCombrink
  • 3,738
  • 1
  • 22
  • 38
0
votes
0 answers

How to debug an application in a kube pod with gdb without capabilities, CRD or privileged user?

In a distant kube cluster I have some pod with C++ application. I need to debug them with gdb or gdbserver but : No capabilities (like SYS_PTRACE) allowed on the images No privileged user No CustomResourceDefinitions allowed in the cluster No…
BloodMarch
  • 3
  • 2
0
votes
0 answers

Java - can't start program with open socket capability

I'm trying to add open socket capabilities to a java application, I added these line to my startup script MY_JAVA_PATH=/home/dds/jdk-11.0.18+10 echo "Using java [${MY_JAVA_PATH}]" JAVA=${MY_JAVA_PATH}/bin/java echo "allowing ${JAVA} java to open…
DDS
  • 2,340
  • 16
  • 34
0
votes
1 answer

What is the Linux capability(7) to write to /proc/sys/net/ipv6/conf/$IF/disable_ipv6?

I've got a test that I'm writing for a larger program that needs to (1) create a tap device, (2) bind a raw socket, and (3) make a sysctl to disable IPv6. I'm writing to find the set of Linux capabilities to do all of these things so I don't have…
capveg
  • 107
  • 8
1 2 3
11 12