Questions tagged [setcap]
The setcap tag has no summary.
27 questions
1
vote
1
answer
514
views
Reproduce setcap behavior with capsh
There is a non-capability-aware program that requires at least 1) cap_sys_admin and 2) either cap_dac_override or cap_dac_read_search. This can be proven as follows:
sudo setcap 'all=ep cap_sys_admin-...
- 113
3
votes
2
answers
2k
views
how to set capabilities (setcap) on perf
I'd like to use the perf utility. I was following instructions to set up a privileged group of users who are permitted to execute performance monitoring and observability without limits (as instructed ...
- 133
1
vote
1
answer
8k
views
How to use tcpdump safely (-Z option vs file capabilities / setcap)?
I am evaluating, how tcpdump can be used in a safer manner with as few as possible privileges. Two possibilities:
1. -Z option
If tcpdump is running as root, after opening the capture device or input ...
- 175
7
votes
1
answer
11k
views
Why ping works without capability and setuid [duplicate]
I learned from here that there's 2 ways to control privileged activities: setuid and capability.
But when I'm playing around with ping on my machine, it seems that it can bypass these 2 mechanism.
...
- 195
2
votes
1
answer
4k
views
Should I grant sudo to a user or add CAP_SYS_ADMIN capabilities to use nvprof/ncu? And why?
Since CUDA 10.1, users are required to have sudo privileges to collect advanced metrics with cuda profiling tools such as nvprof or nsight compute (ncu).
Alternatives to get around it are described ...
- 183
0
votes
0
answers
402
views
How to setcap wifi-menu on arch for non-root users?
I'm trying to run wifi-menu on arch as non-root. No setcap i've tried works.
[root@lilegg johny]# setcap CAP_NET_ADMIN,CAP_SYS_ADMIN,CAP_NET_RAW,CAP_DAC_OVERRIDE=eip /usr/bin/wifi-menu
[root@lilegg ...
- 381
6
votes
0
answers
514
views
Is there something like 'sudo' but give only one capability not real root?
I want to run a one-time web server on port 80, which I will never run again.
Is there something like 'sudo' that gives only temporary CAP_NET_BIND_SERVICE, not real root, to a process? So that we ...
- 489
1
vote
0
answers
297
views
After setcap on executable, curl_easy_perform throws out of memory error
I've cross compiled an executable to run on Debian Stretch that requires a specific version of cURL (greater than 7.56) to run, and needs specific capabilities during execution. So on the executable ...
- 111
0
votes
1
answer
3k
views
setcap binary but with arguments?
I'm trying to start BoringTun with setcap in order for it to run unprivileged but still have the ability to fmark:
root@67672793823c:/# setcap cap_net_admin+epi /usr/local/sbin/boringtun --foreground ...
- 41.5k
2
votes
2
answers
731
views
Difference between file capability and process capability
I am trying to understand POSIX Capabilities. Sometimes, when reading the documentation they refer to file capabilities and sometimes to process capabilities.
What is the difference between file and ...
- 301
0
votes
2
answers
828
views
Why sudo isn't acceptable?
I need to create a network bridge with 'brctl addbr br-lan' command in a sh script without using sudo.
I have a script like;
brctl addbr br-lan
ifconfig lo up
I have tried to set capabilities to my ...
- 125
13
votes
1
answer
8k
views
Is setcap deprecated?
I'm starting a webserver as non-root using a systemd unit file.
I am getting listen tcp :80: bind: permission denied even though I already ran
setcap cap_net_bind_service=+ep
on the executable.
In ...
- 1,238
25
votes
2
answers
39k
views
Setcap not found in Debian 9
I'm using a installation scripts that needs setcap and it's not found. What package contains it? libcap2 is already installed.
- 573
0
votes
0
answers
1k
views
setcap settings do not reflect in getcap
root@localhost:~# setcap cap_net_raw+p /bin/ping
root@localhost:~# getcap /bin/ping
root@localhost:~# ls -l $(which ping)
-rwsr-xr-x. 1 root root 34752 Nov 8 2014 /bin/ping
root@localhost:~# ping ...
- 101
46
votes
2
answers
130k
views
How to set capabilities with setcap command?
I would like to set up wpa_supplicant and openvpn to run as non-root user, like the recommended setup for wireshark. I can't find any documentation for what +eip in this example means:
sudo setcap ...
- 563