Highest Voted 'setcap' Questions - Unix and Linux Stack Exchange

33

votes

2 answers

How to set capabilities with setcap command?

I would like to set up wpa_supplicant and openvpn to run as non-root user, like the recommended setup for wireshark. I can't find any documentation for what +eip in this example means: sudo setcap cap_net_raw,cap_net_admin,cap_dac_override+eip…

capabilities setcap

asked Sep 01 '17 at 22:17

T0m4t0s4uc3

433
1
4
5

23

votes

2 answers

Setcap not found in Debian 9

I'm using a installation scripts that needs setcap and it's not found. What package contains it? libcap2 is already installed.

debian setcap

asked Jul 13 '18 at 22:26

Gabriel

533
1
6
15

20

votes

2 answers

'setcap' overwrites last capability. How do I set multiple capabilities?

I want to give node.js the ability to listen on port 80, and shutdown the computer. Initially I tried these two commands in sequence: setcap cap_net_bind_service=+ep /usr/bin/nodejs setcap cap_sys_boot=+ep /usr/bin/nodejs Then my app was failing…

capabilities setcap

asked Feb 25 '15 at 23:33

Antonius Bloch

633
6
10

19

votes

6 answers

How can I set up a remote port forward on port 80 to my localhost with the help of setcap?

I'd like to accept connections briefly for development when I'm NATed, and so I'm attempting to do this: $ ssh [email protected] -R 80:localhost:80 Which fails as I'm trying to bind a port that is to low: Warning: remote port forwarding failed for…

ubuntu ssh-tunneling setcap

asked Jun 23 '12 at 14:21

Kit Sunde

4,394
10
30
34

17

votes

1 answer

Can capabilities be used in scripts without setcap'ing the interpreter binary?

Right now I'm using cap_net_bind_service MY_USERNAME in /etc/security/capability.conf. Now I just need to set cap_net_bind_service+i on the interpreter of my favorite scripting language to be able to add CAP_NET_BIND_SERVICE to the effective set via…

linux scripting executable setcap capabilities

asked Sep 01 '12 at 19:37

ThiefMaster

2,297
2
23
25

17

votes

2 answers

When using setcap, where is the permission stored?

Using setcap to give additional permissions to a binary should write the new permission somewhere, on storage or in memory, where is it stored ? Using lsof as is doesn't work because the process disappear too quickly.

capabilities setcap

asked Aug 26 '17 at 16:39

Zulgrib

914
2
8
24

13

votes

1 answer

Is setcap deprecated?

I'm starting a webserver as non-root using a systemd unit file. I am getting listen tcp :80: bind: permission denied even though I already ran setcap cap_net_bind_service=+ep on the executable. In an example unit file on the internet I…

systemd capabilities setcap

asked Dec 14 '18 at 22:53

AndreKR

1,010
3
13
28

12

votes

2 answers

How to get Oracle java 7 to work with setcap cap_net_bind_service+ep

I am trying to grant the java executable the right to open ports below 1024 on Linux. Here is the setup /home/test/java contains the Oracle Server JRE 7.0.25 CentOS 6.4 Here is what getcap returns [test@centos6 java]$…

linux security java administration setcap

asked Aug 23 '13 at 20:46

ams

1,338
6
20
28

9

votes

2 answers

Passing capabilities through exec

I'm trying to understand how Linux capabilities are passed to a process that has been exec()'d by another one. From what I've read, in order for a capability to be kept after exec, it must be in the inheritable set. What I am not sure of, though, is…

linux capabilities setcap

asked May 07 '14 at 23:17

AdmiralNemo

319
2
7

5

votes

1 answer

Why ping works without capability and setuid

I learned from here that there's 2 ways to control privileged activities: setuid and capability. But when I'm playing around with ping on my machine, it seems that it can bypass these 2 mechanism. First, confirm that on my machine /usr/bin/ping has…

setuid capabilities setcap

asked Nov 04 '20 at 09:04

zingdle

175
1
7

4

votes

0 answers

Is there something like 'sudo' but give only one capability not real root?

I want to run a one-time web server on port 80, which I will never run again. Is there something like 'sudo' that gives only temporary CAP_NET_BIND_SERVICE, not real root, to a process? So that we don't have to use chmod or setcap.

networking sudo privileges capabilities setcap

asked Oct 26 '19 at 04:34

Bob Johnson

449
3
9

4

votes

1 answer

Security of capabilities vs setuid (LD_PRELOAD, etc)

I know that if a process is run setuid that it's protected against various things that could subvert the process, like LD_PRELOAD and ptrace (debugging). But I haven't been able to find anything on the same being done for capabilities. I assume the…

linux security setuid capabilities setcap

asked Nov 10 '14 at 04:23

Matthew Cline

3,265
4
24
38

3

votes

1 answer

One non-root user run jetty by port 512 which less that port1024

Customer asks us to create a non-root user to run our web system which bind port 512, less than 1024. When web server(jetty) runs, this is the exception: 2013-10-16 14:49:51.406:WARN::failed Server@2c2893ce: java.net.SocketException: Permission…

linux bind setcap

asked Oct 16 '13 at 07:41

Evans

31
3

3

votes

1 answer

how to set capabilities (setcap) on perf

I'd like to use the perf utility. I was following instructions to set up a privileged group of users who are permitted to execute performance monitoring and observability without limits (as instructed here:…

ubuntu perf setcap

asked Dec 03 '21 at 13:07

levente.nas

33
5

3

votes

3 answers

possibility of running daemons with under privileged users during bootup

I have an authoritative DNS daemon in my test DNS setup which is responsible to provide host IP at best choice. This daemon/process can run by setting some capabilities using setcap and then a development user can start or stop this without becoming…

linux init-script privileges setcap

asked Jan 30 '14 at 12:21

Akaks

449
1
5
10

Questions tagged [setcap]