11/20/2018

Linux Capabilities Example

An example of setting and getting a Linux capability

If you run across a command than reports an error suggesting a missing capability like NET_ADMIN, then you may want to use capabilities to allow non-root user to execute special commands such as iotop:

[kwright@ryzen5 cvs]$ iotop
Netlink error: Operation not permitted (1)

The Linux kernel interfaces that iotop relies on now require root priviliges
or the NET_ADMIN capability. This change occured because a security issue
(CVE-2011-2494) was found that allows leakage of sensitive data across user
boundaries. If you require the ability to run iotop as a non-root user, please
configure sudo to allow you to run iotop as root.

Please do not file bugs on iotop about this.
[kwright@ryzen5 cvs]$ setcap
usage: setcap [-q] [-v] (-r|-|) [ ... (-r|-|) ]


SETCAP(8)                             System Manager's Manual                            SETCAP(8)

NAME
       setcap - set file capabilities

SYNOPSIS
       setcap [-q] [-v] (capabilities|-|-r) filename [ ... capabilitiesN fileN ]

DESCRIPTION
       In  the  absence  of  the -v (verify) option setcap sets the capabilities of each specified
       filename to the capabilities specified.  The -v option is used to verify that the specified
       capabilities are currently associated with the file.

       The capabilities are specified in the form described in cap_from_text(3).

       The special capability string, '-', can be used to indicate that capabilities are read from
       the standard input. In such cases, the capability set is terminated with a blank line.

       The special capability string, '-r', is used to remove a capability set from a file.

       The -q flag is used to make the program less verbose in its output.

EXIT CODE
       The setcap program will exit with a 0 exit code if successful. On failure, the exit code is
       1.

SEE ALSO
       cap_from_text(3), cap_set_file(3), getcap(8),capabilities(7)


[kwright@ryzen5 cvs]$ sudo setcap cap_net_admin+eip /usr/sbin/iotop

[kwright@ryzen5 cvs]$ echo $?
0

[kwright@ryzen5 cvs]$ getcap /usr/sbin/iotop
/usr/sbin/iotop = cap_net_admin+eip

Conclusion

Despite setting the capability reported in the error message, the iotop command still reports the same error. Capabilities have to be carefully programmed into an executable, or else they may still be ineffective, and executing as root may be the only quick workaround.


No comments:

About Me - WrightRocket

My photo

I've worked with computers for over 30 years, programming, administering, using and building them from scratch.

I'm an instructor for technical computer courses, an editor and developer of training manuals, and an Android developer.