On Tue, Dec 10, 2013 at 12:56 PM, Grant Edwards <grant.b.edwa...@gmail.com> wrote: > On 2013-12-10, Canek Pel??ez Vald??s <can...@gmail.com> wrote: > >>> How do you grant a capability (e.g. CAP_NET_RAW) to a user? > >> From man:capabilities(7): "Capabilities are a per-thread attribute." >> >> I don't think you can grant any capability to a user. > > I've found some indications that you can. Various references to > PAM_CAP imply that I should be able to do what I want. From > http://blog.siphos.be/2013/05/restricting-and-granting-capabilities/: > > You can also grant capabilities to users selectively, using > pam_cap.so (the Capabilities Pluggable Authentication Module).
I think my proposal could be implemented using PAM, but it would be the same, I suppose. > But the example provided only shows how to grant capabilities to a > user that can then be inherited by files which must also have that > same capability enabled. That's not quite what I want to do (and it > doesn't seem to work). The restriction to files already having the capability is for security reasons, obviously: if a user has certain capability, and she forgets to change the others access to some executable, then anyone has the capability (if I understand correctly). > There are two reasons that granting the capability to the executable > isn't feasible: > > 1) Some of the programs are written in Python, and I don't want to > grant the capability to all Python programs by setting the > capability on /usr/bin/python. Again, create an executable with CAP_SETPCAP that executes the Python programs and sets the capabilities for the running program. > 2) Some of the programs are ELF executables (compiled C programs) > that are under developement and are being continuously re-built > and re-run. If I have to do a "sudo setcap" everytime I > compile/run a program, then I might as well just do "sudo > <program>" the way I do now. You can create (once) an executable with CAP_SETFCAP, which your build system calls automatically every time you recompile and that sets the CAP_NET_RAW capability for the resulting executable. Not very secure anyway, but I think it could work. >> A workaround for what you want is to write a little executable that >> only execvp's bash (or whatever shell you use), grant that executable >> CAP_NET_RAW, and then set it as default shell with usermod. > > I thought about that, but that seems fragile. > I supposed I could set the capability on /bin/bash with +p instead of > +ep, then it should only take effect for users who have the capability > enabled (though I haven't been able to get that to work yet). I think the problem is that you want to use capabilities in a way that they are not designed for: you don't set capabilities at development time, you do it at deployment time. I would develop in a container or a VM until the program is ready and then deploy it with capabilities enabled. Regards. -- Canek Peláez Valdés Posgrado en Ciencia e Ingeniería de la Computación Universidad Nacional Autónoma de México
