On 2013-12-10, Canek Pel??ez Vald??s <can...@gmail.com> wrote: >> How do you grant a capability (e.g. CAP_NET_RAW) to a user?
> From man:capabilities(7): "Capabilities are a per-thread attribute." > > I don't think you can grant any capability to a user. I've found some indications that you can. Various references to PAM_CAP imply that I should be able to do what I want. From http://blog.siphos.be/2013/05/restricting-and-granting-capabilities/: You can also grant capabilities to users selectively, using pam_cap.so (the Capabilities Pluggable Authentication Module). But the example provided only shows how to grant capabilities to a user that can then be inherited by files which must also have that same capability enabled. That's not quite what I want to do (and it doesn't seem to work). There are two reasons that granting the capability to the executable isn't feasible: 1) Some of the programs are written in Python, and I don't want to grant the capability to all Python programs by setting the capability on /usr/bin/python. 2) Some of the programs are ELF executables (compiled C programs) that are under developement and are being continuously re-built and re-run. If I have to do a "sudo setcap" everytime I compile/run a program, then I might as well just do "sudo <program>" the way I do now. > A workaround for what you want is to write a little executable that > only execvp's bash (or whatever shell you use), grant that executable > CAP_NET_RAW, and then set it as default shell with usermod. I thought about that, but that seems fragile. I supposed I could set the capability on /bin/bash with +p instead of +ep, then it should only take effect for users who have the capability enabled (though I haven't been able to get that to work yet). -- Grant Edwards grant.b.edwards Yow! My vaseline is at RUNNING... gmail.com
