linux-capabilities

Why does CAP_NET_RAW not work with SO_BINDTODEVICE?

别说谁变了你拦得住时间么 提交于 2019-12-12 13:31:27
问题 I have the following simple test program to create a UDP socket and bind it to a specific interface with SO_BINDTODEVICE so I can then bind() it so INADDR_ANY to recieve UDP broadcasts specifically on that interface. //filename: bindtest.c #include <sys/socket.h> #include <netinet/in.h> #include <stdio.h> #include <unistd.h> #include <string.h> #include <stdlib.h> #include <errno.h> #define MY_PORT (333) #define MY_DEVICE "enp0s3" #define BUFFERSIZE (1000) /* global variables */ int sock;

Run gdb inside docker container running systemd

我们两清 提交于 2019-12-11 08:29:03
问题 I was able to start a docker container running systemd using sudo docker run -it -p 8022:22 -e container=docker debug-image /sbin/init However, gdb was not able to debug C processes in this environment, because it lacked the required SYS_PTRACE capability. I tried adding --cap-add=SYS_PTRACE to the docker run command line, but then systemd appeared to hang on startup (it printed nothing to the terminal). The same thing happened when I tried passing --privileged instead. 回答1: This command

Unable to get CAP_CHOWN and CAP_DAC_OVERRIDE working for regular user

≡放荡痞女 提交于 2019-12-11 03:00:10
问题 My requirement My python server runs as a regular user on RHEL But it needs to create files/directories at places it doesn't have access to. Also needs to do chown those files with random UID/GID My approach Trying this in capability-only environment, no setuid. I am trying to make use of cap_chown and cap_dac_override capabilities. But am totally lost of how to get it working in systemctl kind of environment At present I have following in the service file: #cat /usr/lib/systemd/system/my

Java “symbol lookup error” for JLI_InitArgProcessing when running with setcap capabilities

徘徊边缘 提交于 2019-12-10 10:48:30
问题 We installed Java 11 on a server that is meant to monitor a network interface for traffic. After the initial installation ( yum install java-11-openjdk-devel.x86_64 ) the java command works properly for both root and a regular user. However, our Java application will not be running as root. We then ran: setcap cap_net_raw,cap_net_admin=eip /path/to/java It sets the capabilities, and running java -version as root works fine. But after running setcap , when I try to run java -version as a

Why is CapEff all zeros in /proc/$PID/status

て烟熏妆下的殇ゞ 提交于 2019-12-10 10:45:40
问题 I removed the setuid bit from the ping binary and added cap_net_raw+p instead as follows: $ chmod 755 /bin/ping $ setcap cap_net_raw+p /bin/ping Then I ran ping in one terminal and checked the /proc/$PID/status of the running process from another: $ ps aux | grep ping user 5468 0.0 0.0 14948 1792 pts/20 S+ 11:14 0:00 ping www.google.com user 5471 0.0 0.0 14224 896 pts/2 S+ 11:14 0:00 grep --color=auto ping $ cat /proc/5468/status | grep Cap CapInh: 0000000000000000 CapPrm: 0000000000002000

losing capabilities after setuid()

丶灬走出姿态 提交于 2019-12-07 04:50:08
问题 Trying to set cap_setgid , cap_setuid , cap_setpcap . #include <sys/types.h> #include <sys/capability.h> int main() { cap_t caps; caps = cap_get_proc(); cap_value_t cap_list[2]; cap_list[0] = CAP_SETUID; cap_list[1] = CAP_SETGID; cap_set_flag(caps, CAP_EFFECTIVE, 2, cap_list, CAP_SET); cap_set_flag(caps, CAP_INHERITABLE, 2, cap_list, CAP_SET); cap_set_proc(caps); cap_free(caps); setgid(65534); setuid(65534); cap_get_proc(); setgid(0); setuid(0); return 0; } Execution is going under root user.

Why is CapEff all zeros in /proc/$PID/status

孤街浪徒 提交于 2019-12-06 10:06:18
I removed the setuid bit from the ping binary and added cap_net_raw+p instead as follows: $ chmod 755 /bin/ping $ setcap cap_net_raw+p /bin/ping Then I ran ping in one terminal and checked the /proc/$PID/status of the running process from another: $ ps aux | grep ping user 5468 0.0 0.0 14948 1792 pts/20 S+ 11:14 0:00 ping www.google.com user 5471 0.0 0.0 14224 896 pts/2 S+ 11:14 0:00 grep --color=auto ping $ cat /proc/5468/status | grep Cap CapInh: 0000000000000000 CapPrm: 0000000000002000 CapEff: 0000000000000000 CapBnd: 0000003fffffffff CapAmb: 0000000000000000 If ping is currently running

stdbuf with setuid/capabilities

半腔热情 提交于 2019-12-06 01:42:28
I am reading output from another process which generates output (slow and infinite). Because I want to read this data in real-time I use "stdbuf -oL" (line-buffered, data is text). I do not have control of the generating process so I cannot modify the source to force flushing. So far stdbuf works just fine, however the process uses SOCK_RAW and needs either to be run as root, have setuid(0) or the cap_net_raw capability. When running as non-root with setuid or capabilities stdbuf seems to be ignored. Let me demonstrate the problem: This is a simple writer: #include <stdio.h> #include <unistd.h

How to use CAP_SYS_ADMIN

牧云@^-^@ 提交于 2019-12-05 04:45:58
Can somebody please explain to me how to use or set CAP_SYS_ADMIN in c? I need that capability to unmount a usb drive but don't know how to use it. Here's how to do it using the command-line: $ sudo setcap cap_sys_admin+ep executable-name and $ getcap executable-name executable-name = cap_sys_admin+ep You, of course, need the libcap package. A good place to learn how to do it in C would be the source for setcap which is here 来源: https://stackoverflow.com/questions/26504457/how-to-use-cap-sys-admin

Linux capabilities with yocto

爷,独闯天下 提交于 2019-12-02 02:34:49
I want to give several files Linux capabilities (e.g. CAP_NET_ADMIN). I am using Yocto and my file system should be read-only and must not be changed after flashing the software (this means pkg_postinst with setcap that would usually work is not possible). Is there any other way to give capabilities to files without changing the file structure after booting the target? pkg_postinst scripts already get executed while building the read-only rootfs, so this approach works. You must ensure that the commands that you call in the script are available in the build host, though, otherwise execution of
订阅 linux-capabilities