[svlug] capabilities

Sarah Newman newmans at sonic.net
Wed Sep 2 22:14:45 PDT 2015


Something called "capabilities" was discussed after the end of the talk tonight for setting more fine grained rights than root access. I found how to
use this for ping instead of setuid:

chmod u-s /bin/ping; setcap cap_net_raw+pe /bin/ping

'man capabilities' lists the options for your kernel.

This person discusses which capabilities are effectively root access circa 2011, not sure how this has changed:

https://forums.grsecurity.net/viewtopic.php?f=7&t=2522&sid=c6fbcf62fd5d3472562540a7e608ce4e#p10271

On ubuntu setcap is part of libcap2-bin which has some other interesting looking stuff

$ apt-file show libcap2-bin
libcap2-bin: /sbin/capsh
libcap2-bin: /sbin/getcap
libcap2-bin: /sbin/getpcaps
libcap2-bin: /sbin/setcap

ansible has an extras module for it

https://docs.ansible.com/ansible/capabilities_module.html

--Sarah



More information about the svlug mailing list