Issue #3176 has been updated by John Warburton.
I forgot to mention that we need to be able to set the file capability. In
Andrew's example, he sets the file capability to "ep" (Effective/Permitted)
which allows anyone this capability on this file
For access control to users, I need to set file capability "ei" on the file so
that it also checks /etc/security/capability.conf
setcap cap_net_raw=ei /usr/sbin/tcpdump
----------------------------------------
Feature #3176: Extend the File type to manage filesystem capabilities
https://projects.puppetlabs.com/issues/3176
Author: Andrew Pollock
Status: Accepted
Priority: Normal
Assignee:
Category: file
Target version:
Affected Puppet version: 0.25.4
Keywords:
Branch:
It's starting to sound like Linux's capabilities are going to be the next Big
Thing. Puppet should be able to enforce various capabilities on files.
I imagine something like
file "/usr/sbin/tcpdump": {
capabilities => [ "CAP_NET_RAW" ],
}
which would do the equivalent of running
setcap cap_net_raw=ep /usr/sbin/tcpdump
I don't see evidence of Ruby bindings for libcap2 at this time. See
capabilities(7) for more information.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
