[svlug] capabilities

Sarah Newman newmans at sonic.net
Wed Sep 2 22:14:45 PDT 2015

Previous message: [svlug] [svlug-announce] SVLUG Sept. 2nd meeting: Luke S. Crawford on OpenLDAP; Single Sign-On without Sharing Password Hashes
Next message: [svlug] I still plan on getting that walkthrough done
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Something called "capabilities" was discussed after the end of the talk tonight for setting more fine grained rights than root access. I found how to
use this for ping instead of setuid:

chmod u-s /bin/ping; setcap cap_net_raw+pe /bin/ping

'man capabilities' lists the options for your kernel.

This person discusses which capabilities are effectively root access circa 2011, not sure how this has changed:

https://forums.grsecurity.net/viewtopic.php?f=7&t=2522&sid=c6fbcf62fd5d3472562540a7e608ce4e#p10271

On ubuntu setcap is part of libcap2-bin which has some other interesting looking stuff

$ apt-file show libcap2-bin
libcap2-bin: /sbin/capsh
libcap2-bin: /sbin/getcap
libcap2-bin: /sbin/getpcaps
libcap2-bin: /sbin/setcap

ansible has an extras module for it

https://docs.ansible.com/ansible/capabilities_module.html

--Sarah

Previous message: [svlug] [svlug-announce] SVLUG Sept. 2nd meeting: Luke S. Crawford on OpenLDAP; Single Sign-On without Sharing Password Hashes
Next message: [svlug] I still plan on getting that walkthrough done
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the svlug mailing list