Linux capabilities for non root user
by suresh_n from LinuxQuestions.org on (#6QJZB)
I'm working on converting a root process to run as a non-root user by assigning all available Linux capabilities (38 in total, based on /usr/include/linux/capability.h). Despite this, I'm still encountering some errors.
Are there any operations or system tasks that remain restricted for non-root users even if all relevant Linux capabilities are assigned? Any insights or additional steps I should consider?
Errors I see:
2024-09-07 02:12:55Z mngr[13239]:VERBOSE: >>cntrlr[14034]: sh: 1: cannot create /proc/sys/net/ipv4/conf/acl_log_all/forwarding: Permission denied
2024-09-07 02:12:55Z mngr[13239]:VERBOSE: >>cntrlr[14034]: sh: 1: cannot create /proc/sys/net/ipv6/conf/acl_log_all/forwarding: Permission denied
2024-09-07 02:12:55Z mngr[13239]:VERBOSE: >>cntrlr[14034]: sh: 1: cannot create /proc/sys/net/ipv6/conf/acl_log_all/disable_ipv6: Permission denied
2024-09-07 02:12:55Z mngr[13239]:VERBOSE: >>cntrlr[14034]: sh: 1: cannot create /proc/sys/net/ipv4/conf/acl_log_all/rp_filter: Permission denied
2024-09-07 02:12:55Z mngr[13239]:VERBOSE: >>cntrlr[14034]: SIOCSIFFLAGS: Operation not permitted
However, the process has all the capabilities:
root@switch:~# getcap cntrlr.bin
cntrlr.bin = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid, cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap _ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap _sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_ lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wa ke_alarm,cap_block_suspend,cap_audit_read+ep
Thanks!
Are there any operations or system tasks that remain restricted for non-root users even if all relevant Linux capabilities are assigned? Any insights or additional steps I should consider?
Errors I see:
2024-09-07 02:12:55Z mngr[13239]:VERBOSE: >>cntrlr[14034]: sh: 1: cannot create /proc/sys/net/ipv4/conf/acl_log_all/forwarding: Permission denied
2024-09-07 02:12:55Z mngr[13239]:VERBOSE: >>cntrlr[14034]: sh: 1: cannot create /proc/sys/net/ipv6/conf/acl_log_all/forwarding: Permission denied
2024-09-07 02:12:55Z mngr[13239]:VERBOSE: >>cntrlr[14034]: sh: 1: cannot create /proc/sys/net/ipv6/conf/acl_log_all/disable_ipv6: Permission denied
2024-09-07 02:12:55Z mngr[13239]:VERBOSE: >>cntrlr[14034]: sh: 1: cannot create /proc/sys/net/ipv4/conf/acl_log_all/rp_filter: Permission denied
2024-09-07 02:12:55Z mngr[13239]:VERBOSE: >>cntrlr[14034]: SIOCSIFFLAGS: Operation not permitted
However, the process has all the capabilities:
root@switch:~# getcap cntrlr.bin
cntrlr.bin = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid, cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap _ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap _sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_ lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wa ke_alarm,cap_block_suspend,cap_audit_read+ep
Thanks!