Hello Allen.
Capabilities for a binary without ambient flag won't work for a non-root
user if I get it correctly from manuals.
So it looks like you are on the way to success with '--ambient-caps'.
It looks like 'su' drops all capabilities, though.
You may want to have a look at libpam_cap which may solve this problem
for you.
Other than this the approach should work.
Best regards,
Igor.
On 19.10.2020 12:24, allenhe wrote:
A non root process needs to signal reload to nginx master (as root) without
sudo
I've tried using setcap and setpriv with CAP_KILL, both not work.
# getcap nginx/sbin/nginx
nginx/sbin/nginx = cap_kill+ip
#su user01 -s /bin/sh -c 'nginx/sbin/nginx -s reload'
nginx: [alert] kill(68, 1) failed (1: Operation not permitted)
#setpriv --inh-caps +cap_5 --ambient-caps +cap_5 su user001 -s /bin/sh -c
'nginx/sbin/nginx -s reload'
nginx: [alert] kill(68, 1) failed (1: Operation not permitted)
I don't konw if this is specifc to nginx only or I mis used the linux
capability?
looking foward for the help
BR,
Allen
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,289755,289755#msg-289755
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx
