Unable to set capability CAP_SETFCAP by user
Solution 1
If a user/process has cap_setfcap
or cap_dac_override
, then it is trivial to gain root access.
If the user is trusted you can add them to group sudo/sudoers (depends on configuration), and they can use sudo
.
You can even add rules to /etc/sudoers.d/
to allow the user to run setcap
only, and only in the specified ways. However this will just give you a false sense of security.
Solution 2
Because your /sbin/setcap
doesn't have CAP_SETFCAP
bit in neither inheritable set, nor permitted set. The file's effective bit is not set as well.
And as richard
said, it 'll make no sense of security if you grant these 2 capabilities to any non-root user
Related videos on Youtube
clerksx
Hi there! I work on Linux kernel memory management and also help maintain systemd. You can find me at: chrisdown.name GitHub LinkedIn
Updated on September 18, 2022Comments
-
clerksx almost 2 years
The question is about capabilities. I need to allow user to set capabilities using setcap. When I call it by root all goes fine, eg
$ sudo setcap cap_dac_override,cap_dac_read_search+ep ./bin_file
$ getcap ./bin_file ./bin_file = cap_dac_override,cap_dac_read_search+ep
but when i run the command with user privileges...
$ /sbin/setcap cap_dac_override,cap_dac_read_search+ep ./bin_file unable to set CAP_SETFCAP effective capability: Operation not permitted
I added the following string into
/etc/security/capability.conf
:cap_setfcap,cap_dac_override,cap_dac_read_search user
but it still doesn't work.