Unable to set capability CAP_SETFCAP by user

linux security capabilities

15,235

Solution 1

If a user/process has cap_setfcap or cap_dac_override, then it is trivial to gain root access.

If the user is trusted you can add them to group sudo/sudoers (depends on configuration), and they can use sudo.

You can even add rules to /etc/sudoers.d/ to allow the user to run setcap only, and only in the specified ways. However this will just give you a false sense of security.

Solution 2

Because your /sbin/setcap doesn't have CAP_SETFCAP bit in neither inheritable set, nor permitted set. The file's effective bit is not set as well.

And as richard said, it 'll make no sense of security if you grant these 2 capabilities to any non-root user

15,235

clerksx

Hi there! I work on Linux kernel memory management and also help maintain systemd. You can find me at: chrisdown.name GitHub LinkedIn

Updated on September 18, 2022

Comments

clerksx almost 2 years
The question is about capabilities. I need to allow user to set capabilities using setcap. When I call it by root all goes fine, eg $ sudo setcap cap_dac_override,cap_dac_read_search+ep ./bin_file
```
$ getcap ./bin_file
./bin_file = cap_dac_override,cap_dac_read_search+ep
```
but when i run the command with user privileges...
```
$ /sbin/setcap cap_dac_override,cap_dac_read_search+ep ./bin_file
unable to set CAP_SETFCAP effective capability: Operation not permitted
```
I added the following string into /etc/security/capability.conf:
```
cap_setfcap,cap_dac_override,cap_dac_read_search user
```
but it still doesn't work.