I have an application that I want to be able to change the hostname in Linux. Currently doing so by running the hostname command. I don't want to set CAP_SYS_ADMIN either. I also don't want to edit /etc/hostname and reboot.
Is there a capability that only just allows changing the hostname? If not what are my options?
Setting the hostname in linux is done via the sethostname(2) syscall. And /bin/hostname is a bare wrapper around this syscall (and a few related syscalls). /etc/hostname is supposed to be read during the boot process by some script, who subsequently runs /bin/hostname to complish its job.
CAP_SYS_ADMIN is one of linux capabilities(7), allows a thread to perform various system administration operations, which include sethostname. I'm not aware of a smaller ganularity within the capabilities framework.
However there are other options. We can grant some user ability to run some command as another user, by sudo(8), in a customisable manner. This example sudoers(5) configuration will allow user alice to run /bin/hostname as root.
alice ALL=(root:ALL) /bin/hostname
As described in this superuser question, the first "ALL" can be replaced by the hosts where the command is run on, not of use unless in a cooperative environment. "root" can be replaced by "ALL" to allow alice to run as any user. Second "ALL" can be replaced by the groups.
The last field is commands alice is allowed to run. As /bin/hostname has limited usage, I guess it is fine. Otherwise we may have it followed by an argument, thus alice cannot run the command without this argument, to restrain the power.
