Background: I am running a docker container which needs to load/remove a kernel module which makes USB devices attached to a remote server available on the host which I then want to make available in the container. It works when running the container with —-privileged and bind mounts for /lib/modules and /dev. Now I want to remove privileged mode and
Tag: linux-capabilities
Setcap over SSHFS
I am running a VM on my machine and have mounted a host folder inside VM using sshfs (auto-mounted via fstab). That folder has an executable which I want to run inside the VM. But I also need some capabilities before running that executable. So my script looks like: But I am getting below error : But if I copy
How to resolve “setsockopt(3, SOL_SOCKET, SO_MARK, [10], 4) = -1 EPERM” Operation denied for none root users
I got two network interfaces (ethernet and wlan). Now I found a little script on github (https://github.com/Intika-Linux-Firewall/App-Route-Jail) which seems to allow me to route specific applications through the none default gateway to loadbalance the traffic a little bit. The script is using the following call: setsockopt(sd, SOL_SOCKET, SO_MARK, &mark, sizeof(mark)); As I found out via an strace I got: ‘-1
Do Linux capabilities partition the possible privileged operations?
More precisely, are there any operations for which more than one capability could be used to give a process the necessary permissions? Answer The short answer is yes. I would say the overarching model is that each operation is guarded by a single capability. However, there are certainly exceptions. At a glance through the kernel/ directory, I quickly found one
What does it means to have a capability only in the inheritable set?
My program is being run with cap_sys_admin,cap_setgid+i. Of course, I understand that they are inheritable across execve, but beside that : does they behave the same way as if I don’t have them at all since they are neither effective nor permitted? Answer OK so your process is running with some Inheritable capabilities. What does that mean for your process? Pretty
Read /proc//fd/ without full root access
I have a program (https://github.com/raboof/connbeat) that relies on /proc/[pid]/fd/* to find processes given a (networking) inode. /proc/[pid]/fd can only be read by root, but I’d like to drop privileges as much as possible for security. Is there some way I could (efficiently) get to the relationship between processes and inodes without requiring full root rights? Perhaps some syscall that I
Is it possible to export the raw text password in Linux when the user is logging in?
I was just wondering, is it possible to export the raw text password into a file using echo “$password” >> /home/user/Desktop/file name. I know that the password is validated against the shadow file by pam_unix.so. Can the username and password exported before the raw text is being converted? Answer Of course you can substitute the login(1) command with one of
Making an RPM which sets POSIX files capabilities
How does one make an RPM which sets the POSIX capabilities of a file? If I try doing rpmbuild as a non-root user then I get an error when my makefile’s install hooks try to run setcap, but if I don’t run setcap how will rpmbuild copy the capabilities? There doesn’t seem to be any way to set the capability
Does using linux capabilities disable LD_PRELOAD
In my custom environment an interceptor library is preloaded which runs a special implementation of bind(), connect(), etc. calls. The problem I see is whenever an application is explicitly enabled capabilities using command setcap, executing the application fails to preload interceptor library and calls default libc connect(). Is it an expected behavior? If yes, what could be the reason to
Edit linux capabilities in Perl
In a C program, you can edit your capabilities with cap_set_proc from libcap. How can I achieve the same in a Perl program? Answer Linux::Prctl may meet your needs. If not, you can use syscall() and try to do it the hard way. If that’s unpalatable, too (and I would find it so), I’m sure CPAN would welcome you to