Timeline for How to configure the system so that users in a specific user group can execute programs requiring the cap_sys_admin capability?
Current License: CC BY-SA 4.0
7 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Mar 16 at 12:05 | vote | accept | lei hu | ||
| Mar 14 at 10:17 | answer | added | Marcus Müller | timeline score: 2 | |
| Mar 14 at 10:17 | comment | added | Stephen Kitt | Is it important that the capabilities are only granted through SSH? Otherwise, the usual technique might be simpler: provide a binary executable only by root and the privileged group, with the appropriate capabilities set on the binary itself. | |
| Mar 14 at 10:10 | comment | added | lei hu | @MarcusMüller Thank you for your response. I think you are correct. But generalizing this issue: if I want users in a specific group to have a shell process with certain capabilities created by sshd after SSH login, enabling them to perform privileged operations, is there a general method to achieve this? | |
| Mar 14 at 9:33 | comment | added | Marcus Müller |
This is an honest question: You do realize that giving a user access to CAP_SYS_ADMIN is for all practical purposes the same as giving them access as root, right? Because with CAP_SYS_ADMIN, they can (for example, there's many other ways of privilege escalation) mount file systems, thereby allowing themselves to run a shell (or any other program) with suid set, so that they get complete access as root. If you can allow that, you can just as well just allow them to sudo perf. So, are you really intending to give the user effectively root access via SSH, for them to run perf?
|
|
| S Mar 14 at 8:34 | review | First questions | |||
| Mar 16 at 12:10 | |||||
| S Mar 14 at 8:34 | history | asked | lei hu | CC BY-SA 4.0 |