linux-capabilities

问题 Is it possible to add a capability (for ex: NET_ADMIN) after the container has actually started? I started a container few days ago and a service provided by it is being used by several other processes which are running remotely on other servers. I need to add a loopback interface to it, but unfortunately, I forgot to start the container with --cap-add=NET_ADMIN and hence couldn't add the interface now. I'm looking for an option, if it is possible to give this capability somehow to this

问题 Is it possible to add a capability (for ex: NET_ADMIN) after the container has actually started? I started a container few days ago and a service provided by it is being used by several other processes which are running remotely on other servers. I need to add a loopback interface to it, but unfortunately, I forgot to start the container with --cap-add=NET_ADMIN and hence couldn't add the interface now. I'm looking for an option, if it is possible to give this capability somehow to this

来源： https://stackoverflow.com/questions/4357057/gdb-appears-to-ignore-executable-capabilities

来源： https://stackoverflow.com/questions/4357057/gdb-appears-to-ignore-executable-capabilities

来源： https://stackoverflow.com/questions/4357057/gdb-appears-to-ignore-executable-capabilities

问题 I have a Qt project that uses a plugin interface which compiles fine on my system. However, when the same project is compiled inside docker it stopped working with Qt 5.10.1, giving the message Error: Undefined interface . After some strace ing the moc run, it turned out that a header file that defines the interface is not found because the statx call on the include's filepath always returns EPERM . The documentation does not even mention how this error can be generated. docker run -

问题 Can somebody please explain to me how to use or set CAP_SYS_ADMIN in c? I need that capability to unmount a usb drive but don't know how to use it. 回答1: Here's how to do it using the command-line: $ sudo setcap cap_sys_admin+ep executable-name and $ getcap executable-name executable-name = cap_sys_admin+ep You, of course, need the libcap package. A good place to learn how to do it in C would be the source for setcap which is here 来源： https://stackoverflow.com/questions/26504457/how-to-use-cap

问题 I am reading output from another process which generates output (slow and infinite). Because I want to read this data in real-time I use "stdbuf -oL" (line-buffered, data is text). I do not have control of the generating process so I cannot modify the source to force flushing. So far stdbuf works just fine, however the process uses SOCK_RAW and needs either to be run as root, have setuid(0) or the cap_net_raw capability. When running as non-root with setuid or capabilities stdbuf seems to be

问题 I am in a difficult situation where I don't know what linux capabilities a process requires to work. What is the best way, or any way to find out what cap is required? The only thing I can think of right now is using capsh and drop all caps on a process. The process then fails and I start to add caps (by removing --drop=CAP_XZY) until it works. Any better suggestions? 回答1: Another method, that I've come across a while ago in this blog post by Brendan Gregg is to use capabilities tracer -

问题 My program is being run with cap_sys_admin,cap_setgid+i . Of course, I understand that they are inheritable across execve, but beside that : does they behave the same way as if I don’t have them at all since they are neither effective nor permitted? 回答1: OK so your process is running with some Inheritable capabilities. What does that mean for your process? Pretty much nothing. You can't call setcap() to make any of those capabilities Effective, since they're not in your Permitted set, and