Issue #3176 has been updated by John Warburton.
This functionality would be great. For now, I have to use a set of execs.
I already use Solaris RBAC functionality in puppet to allow the puppet user to
run web servers etc and listen on ports < 1024
user {'puppet':
keys => 'defaultpriv=basic,net_privaddr',
}
The use case above is to set cap_net_raw on /usr/sbin/tcpdump, ensure
pam_cap.so is included in /etc/pam.d and add an entry for user's to inherit
this capability in /etc/security/capability.conf:
cap_net_raw userX
See [Chris Friedhoff's POSIX Capabilities
Page](http://www.friedhoff.org/posixfilecaps.html#Examples%20-%20Types%20of%20usage%20of%20POSIX%20Capabilities%20-%20Different%20privilege%20levels%20for%20different%20user%20rolls%20-%20Intro)
for an excellent writeup
----------------------------------------
Feature #3176: Extend the File type to manage filesystem capabilities
https://projects.puppetlabs.com/issues/3176
Author: Andrew Pollock
Status: Accepted
Priority: Normal
Assignee:
Category: file
Target version:
Affected Puppet version: 0.25.4
Keywords:
Branch:
It's starting to sound like Linux's capabilities are going to be the next Big
Thing. Puppet should be able to enforce various capabilities on files.
I imagine something like
file "/usr/sbin/tcpdump": {
capabilities => [ "CAP_NET_RAW" ],
}
which would do the equivalent of running
setcap cap_net_raw=ep /usr/sbin/tcpdump
I don't see evidence of Ruby bindings for libcap2 at this time. See
capabilities(7) for more information.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
