Skip to main content
Unix & Linux

Questions tagged [capabilities]

Ask Question

POSIX Capabilities are a way to split full superuser privileges into smaller partitions of privileges. Use this tag for questions on managing and using capabilities.

135 questions
Newest Active Bountied Unanswered
1 vote
1 answer
52 views

Process can't create tun/tap when run as non-root systemd --user service even with CAP_NET_ADMIN

I'm trying to run nebula (an overlay networking tool) as a systemd user service, NOT as a system service with user and group defined in the unit file. All examples about running a service with ...
user31422095's user avatar
user31422095
  • 11
1 vote
0 answers
133 views

How come `setcap all=eip` has fewer capabilities than `setcap cap_sys_admin=eip`?

This question is a follow up to this question: Can a non-zero (not 0, not root) user run a process with capabilities `[pid]: =ep`? And it is likely related to my other question here: Do child ...
learningtech's user avatar
learningtech
  • 631
5 votes
1 answer
165 views

Do child processes inherit capabilities of parent processes?

I am having a difficult time understanding how capabilities are inherited. It is possible there is no such thing as "capability inheritance" and that I have completely misunderstood this ...
learningtech's user avatar
learningtech
  • 631
0 votes
0 answers
64 views

Can a non-zero (not 0, not root) user run a process with capabilities `[pid]: =ep`?

I am learning about capabilities for the first time: https://man7.org/linux/man-pages/man7/capabilities.7.html As a frontend web developer, learning about this type of linux material feels like I ...
learningtech's user avatar
learningtech
  • 631
0 votes
0 answers
76 views

Cannot bind to port 80 with normal user despite setting cap_net_bind_service=ep on binary

I want to bind to port 80 using cap_net_bind_service using normal user. I enabled cap_net_bind_service capability on the binary using sudo setcap cap_net_bind_service+ep server Inside the code, I make ...
Tran Triet's user avatar
Tran Triet
  • 715
0 votes
0 answers
105 views

How can I set capability to systemd user service?

I have a systemd user service (not system service with a User=), But I need grant NET_ADMIN to this service, how to do it? I can use fcap, but I'm trying to find another way. Thanks.
GongT's user avatar
GongT
  • 11
2 votes
0 answers
133 views

Am I right that /proc/PID/status capabilities are always shown in the user namespace of PID?

I always assumed that /proc/[PID]/status shows capabilities that PID has in the user namesapce of the process that opens /proc/[PID]/status, not in the user namespace of PID, but it seems that I was ...
user643357's user avatar
user643357
  • 21
0 votes
0 answers
31 views

IPC_LOCK not available at LXC startup during boot

I am running a Linux Container (LXC) with (Hashicorp) vault installed that requires IPC_LOCK. Whenever I reboot or boot, it fails to start up vault with autostart. From what I can see in the logs it ...
Caesar's user avatar
Caesar
  • 25
0 votes
1 answer
443 views

Setting large fs.pipe-max-size

When I increase fs.pipe-max-size like so: echo "fs.pipe-max-size = N" >> /etc/sysctl.conf sysctl -p (N is ~4-10Mbytes) And use F_SETPIPE_SZ to change named pipe sizes to N, sometimes ...
JAre's user avatar
JAre
  • 125
0 votes
0 answers
421 views

Why can't root edit /var/spool/cron/crontabs?

[Please, I don't want to know why I shouldn't edit it; I want to know why I can't edit it] # pwd /var/spool/cron/crontabs # ll sysadmin -rw------- 1 sysadmin crontab 210 Jun 17 16:05 sysadmin # getcap ...
QF0's user avatar
QF0
  • 391
0 votes
1 answer
264 views

How to increase kernel parameter (`msgmnb`) for a systemd-nspawn container

I have a systemd-nspawn container in which I am trying to change the kernel parameter for msgmnb. When I try to change the kernel parameter by directly writing to the /proc filesystem or using sysctl ...
Yeow_Meng's user avatar
Yeow_Meng
  • 429
0 votes
1 answer
114 views

What is the proper syntax of capsh --caps?

capsh --caps is documented in --help as, --caps=xxx set caps as per cap_from_text() What is the right syntax here? Can anyone demonstrate this working?
Evan Carroll's user avatar
Evan Carroll
  • 35.1k
3 votes
1 answer
935 views

Why does chown reset/remove the SUID bit and reset capabilities?

This command: sudo chown -R root:root directory will remove the SUID bit and reset all capabilities for files. I wonder why it's done silently and it's not mentioned in the man page. Weirdly the GUID ...
Artem S. Tashkinov's user avatar
Artem S. Tashkinov
  • 32.9k
2 votes
1 answer
2k views

Assign capability to systemd service and specific user

I am working on an embedded system device which basically has root user. I have a systemd service call.service which works fine with root access. The service basically creates a few sockets and then ...
gst's user avatar
gst
  • 171
0 votes
1 answer
915 views

After executing setcap, why I still can't use tar and got an error "operation not permitted"?

Question I'm doing my internship, working on container security and recently I need to build a container which has security problem to do some tests. Here is my dockerfile FROM dockerfiles/centos-lamp ...
propoba's user avatar
propoba
  • 103

15 30 50 per page
1
2 3 4 5
9