Using setcap in linux
This sets the CAP_NET_RAW
bit in both the "effective" (e) and "permitted" (p) capability sets. These two sets, along with the "inheritable" set, govern the capabilities that a process has or can set.
See more here:
capabilities - Linux man page
Capability Sets
Each thread has three capability sets containing zero or more of the
above capabilities:
Effective
- the capabilities used by the kernel to
perform permission checks for the thread.
Permitted
- the capabilities
that the thread may assume (i.e., a limiting superset for the
effective and inheritable sets). If a thread drops a capability from
its permitted set, it can never re-acquire that capability (unless it
exec()s a set-user-ID-root program).
inheritable
- the capabilities
preserved across an execve(2). A child created via fork(2) inherits
copies of its parent's capability sets. See below for a discussion of
the treatment of capabilities during exec(). Using capset(2), a thread
may manipulate its own capability sets, or, if it has the CAP_SETPCAP
capability, those of a thread in another process.
Use Linux setcap command to set capabilities during Yocto build
I found the solution.
I had to add this to the libcap recipe
PACKAGECONFIG_class-native = "attr"
As the generated binaries (setcap & getcap) are depending on libattr, and this has to be configured manually.
I found that it's already configured for the target package
PACKAGECONFIG ??= "attr ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}"
Sorry for disturbing.
Trying to perform setcap from Qt program
The best thing to do, as @G.M. suggests, is to provide the full path to the binary. You can find setcap
's location on your system with:
$ sudo which setcap
On Debian and Fedora, that returns /usr/sbin/setcap
. On your system it might also be /sbin/setcap
. Then embed that string in your program explicitly:
command = "/sbin/setcap";
Is there a way for non-root processes to bind to privileged ports on Linux?
Okay, thanks to the people who pointed out the capabilities system and CAP_NET_BIND_SERVICE
capability. If you have a recent kernel, it is indeed possible to use this to start a service as non-root but bind low ports. The short answer is that you do:
setcap 'cap_net_bind_service=+ep' /path/to/program
And then anytime program
is executed thereafter it will have the CAP_NET_BIND_SERVICE
capability. setcap
is in the debian package libcap2-bin
.
Now for the caveats:
- You will need at least a 2.6.24 kernel
- This won't work if your file is a script. (i.e. uses a
#!
line to launch an interpreter). In this case, as far I as understand, you'd have to apply the capability to the interpreter executable itself, which of course is a security nightmare, since any program using that interpreter will have the capability. I wasn't able to find any clean, easy way to work around this problem. - Linux will disable
LD_LIBRARY_PATH
on anyprogram
that has elevated privileges likesetcap
orsuid
. So if yourprogram
uses its own.../lib/
, you might have to look into another option like port forwarding.
Resources:
- capabilities(7) man page. Read this long and hard if you're going to use capabilities in a production environment. There are some really tricky details of how capabilities are inherited across exec() calls that are detailed here.
- setcap man page
- "Bind ports below 1024 without root on GNU/Linux": The document that first pointed me towards
setcap
.
Note: RHEL first added this in v6.
Linux capabilities (setcap) seems to disable LD_LIBRARY_PATH
Yes, it's disabled for security reasons.
Setcap over SSHFS
File capabilities are implemented on Linux with extended attributes (specifically the security.capability
attribute), and not all filesystems implement extended attributes.
sshfs
in particular does not.
Related Topics
Linux - Check If There Is an Empty Line at The End of a File
New Syscall Not Found (Linux Kernel 3.0.0) Where Should I Start Looking
Load Warning: Cannot Find Entry Symbol _Start
How to Call Makefile Located in Other Directory
Linux Ssh Bash Fork Retry: No Child Processes
Bash Arrays and Negative Subscripts, Yes or No
Differences Between Arm "Versions" (Armv7 Only)
How to Get Command History by Cursor Key in Linux Tclsh
Bash: Loop Until Command Exit Status Equals 0
Undefined Reference to Symbol 'Pthread_Key_Delete@@Glibc_2.2.5
Is There an Equivalent to Dbus on Osx
What Is The Meaning of This Macro _Ior(My_Macig, 0, Int)
How to Curl Using Ipv6 Address
What's The Difference Between Insmod and Modprobe
Do Different Programs Gets Their Memory from a Common Heap or from a Separate Heap