I'm using a installation scripts that needs setcap and it's not found. What package contains it? libcap2 is already installed.

I am trying to grant the java executable the right to open ports below 1024 on Linux. Here is the setup - /home/test/java contains the Oracle Server JRE 7.0.25 - CentOS 6.4 Here is what getcap returns [test@centos6 java]$ pwd /home/test/java [test@centos6 java]$ getcap bin/java bin/java = cap_net_bind_service+ep [test@centos6 java]$ getcap jre/bin/java jre/bin/java = cap_net_bind_service+ep Trying to execute java gives the following error. [test@centos6 java]$ bin/java bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory [test@centos6 java]$ jre/bin/java jre/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory Is it possible to run Java 7_u25 when the binary has been given elevated privileges with setcap, if so how? JDK-6919633 : Runtime does not support POSIX File Capabilities (A.K.A. Linux Capabilities) says that Note: when using the setcap the libraries needed by the java launcher should be present in /usr/lib or any other "trusted" location that the runtime loader (rtld) uses to find shared libraries. How do I make the shared libraries trusted?

I would like to set up wpa_supplicant and *openvpn* to run as non-root user, like the recommended setup for *wireshark*. I can't find any documentation for what +eip in this example means: sudo setcap cap_net_raw,cap_net_admin,cap_dac_override+eip /usr/bin/dumpcap

I'd like to accept connections briefly for development when I'm NATed, and so I'm attempting to do this: $ ssh ubuntu@example.org -R 80:localhost:80 Which fails as I'm trying to bind a port that is to low: Warning: remote port forwarding failed for listen port 80 So I've discovered that I can do setcap 'cap_net_bind_service=+ep' /my/application to allow it to listen to ports lower than 1024. So I've got this in my suders crontab: @reboot setcap 'cap_net_bind_service=+ep' /usr/sbin/sshd But it's still not letting me bind on port 80. What am I doing wrong? I'm just going to use nginx to proxy to 8080 or iptables or something instead, but I'm still curious why what I was trying to do didn't work.

I want to give node.js the ability to listen on port 80, and shutdown the computer. Initially I tried these two commands in sequence: setcap cap_net_bind_service=+ep /usr/bin/nodejs setcap cap_sys_boot=+ep /usr/bin/nodejs Then my app was failing to bind to port 80. I checked with getcap: # getcap /usr/bin/nodejs /usr/bin/nodejs = cap_sys_boot+ep If I run setcap again for cap_net_bind_service: # getcap /usr/bin/nodejs /usr/bin/nodejs = cap_net_bind_service+ep I don't see anything in the man page http://linux.die.net/man/8/setcap about setting multiple capabilities, and try some things in desperation: # setcap cap_net_bind_service=+ep /usr/bin/nodejs cap_sys_boot=+ep /usr/bin/nodejs # getcap /usr/bin/nodejs /usr/bin/nodejs = cap_sys_boot+ep # setcap cap_net_bind_service=+ep cap_sys_boot=+ep /usr/bin/nodejs Failed to set capabilities on file `cap_sys_boot=+ep' (No such file or directory) How do I set multiple capabilities?­­­­­­­

There is a non-capability-aware program that requires at least 1) cap_sys_admin and 2) either cap_dac_override or cap_dac_read_search. This can be proven as follows:

sudo setcap 'all=ep cap_sys_admin-ep' ./binary`                        # ./binary doesn't work
sudo setcap 'all=ep cap_dac_override-ep' ./binary`                     # ./binary works
sudo setcap 'all=ep cap_dac_read_search-ep' ./binary                   # ./binary works
sudo setcap 'all=ep cap_dac_override,cap_dac_read_search-ep' ./binary  # ./binary doesn't work

I want to do the same checks using capsh instead of setcap. Before these checks, all file capabilities are removed using sudo setcap -r ./binary. The first tree succeed, the results match setcap:

sudo capsh --user=jdoe --keep=1 --caps="all=eip" --addamb="all" --delamb="cap_sys_admin" -- -c ./binary
sudo capsh --user=jdoe --keep=1 --caps="all=eip" --addamb="all" --delamb="cap_dac_override" -- -c ./binary
sudo capsh --user=jdoe --keep=1 --caps="all=eip" --addamb="all" --delamb="cap_dac_read_search" -- -c ./binary

The last one fails, the program still works while it shouldn't:

sudo capsh --user=jdoe --keep=1 --caps="all=eip" --addamb="all" --delamb="cap_dac_override,cap_dac_read_search" -- -c ./binary

Is there some difference between filesystem and process capabilities that I fail to notice? How do I write the third test properly?

I am evaluating, how tcpdump can be used in a safer manner with as few as possible privileges. Two possibilities: ## 1. -Z option > If tcpdump is running as root, after opening the capture device or input savefile, but before opening any savefiles for output, change the user ID to user and the group ID to the primary group of user. > > This behavior can also be enabled by default at compile time. Afaik tcpdump opens the network interface to be sniffed in promiscuous mode and a possible file (-r flag) with root, but changes to user privileges *before* any further outputting is started. This should minimize possible attack vectors, as parsing the network traffic and possible malicious network packets is done as unprivileged user. E.g. what about taking user nobody to ensure minimum permissions:

tcpdump -i wlan0 -s 0 -Z nobody src portrange 1-80

## 2. setcap Use setcap to add file capabilities CAP_NET_ADMIN, CAP_NET_RAW to /usr/sbin/tcpdump, as suggested here and here :

sudo su
groupadd pcap
usermod -a -G pcap $USER
chgrp pcap /usr/sbin/tcpdump
chmod 750 /usr/sbin/tcpdump
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

## Comparison Above solutions seem to be mutually exclusive: -Z option docs state, user switching is only done, if tcpdump is run as root. Disadvantage I see with solution 2: the malicious code still would have user permission for tcpdump and CAP_NET_ADMIN / CAP_NET_RAW. So I would favor solution 1. What do you think?

Since CUDA 10.1, users are required to have sudo privileges to collect advanced metrics with cuda profiling tools such as nvprof or nsight compute (ncu). Alternatives to get around it are described here: * https://developer.nvidia.com/nvidia-development-tools-solutions-err-nvgpuctrperm-nvprof The link above mentions that CAP_SYS_ADMIN can be used in order to enable the collection of these metrics. Trying to understand the problem, I found this insightful stack overflow response: * https://stackoverflow.com/a/17685265 Correct me If I am wrong, but in order to proceed with CAP_SYS_ADMIN path I should enable the capability for the application **AND** the user (if it is a non-root user). I am not familiar with linux capabilities and I am not sure if is best to grant CAP_SYS_ADMIN to user/application or just give the user SUDO access. Why one is better than the other? ---- EDIT: As of right now, I am still unable to get it to work.

# First I executed
$ sudo setcap cap_sys_admin+ep /usr/local/cuda/bin/nvprof

# This is the command that I am executing after installing the CUDA toolkit 10.2.
$ /usr/local/cuda/bin/nvprof -o output-detailed.nvvp -f --analysis-metrics /usr/local/cuda/extras/demo_suite/vectorAdd

[Vector addition of 50000 elements]
==142443== NVPROF is profiling process 142443, command: /usr/local/cuda/extras/demo_suite/vectorAdd
Copy input data from the host memory to the CUDA device
CUDA kernel launch with 196 blocks of 256 threads
==142443== Some kernel(s) will be replayed on device 0 in order to collect all events/metrics.
==142443== Warning: ERR_NVGPUCTRPERM - The user does not have permission to profile on the target device. See the following link for instructions to enable permissions and get more information: https://developer.nvidia.com/ERR_NVGPUCTRPERM 
Failed to launch vectorAdd kernel (error code unknown error)!
==142443== Warning: ERR_NVGPUCTRPERM - The user does not have permission to profile on the target device. See the following link for instructions to enable permissions and get more information: https://developer.nvidia.com/ERR_NVGPUCTRPERM 
==142443== Warning: Some profiling data are not recorded. Make sure cudaProfilerStop() or cuProfilerStop() is called before application exit to flush profile data.
==142443== Generated result file: /results/nvprof/output-detailed.nvvp

But it only works if I run with sudo.

$ sudo /usr/local/cuda/bin/nvprof -o output-detailed.nvvp -f --analysis-metrics /usr/local/cuda/extras/demo_suite/vectorAdd

[Vector addition of 50000 elements]
==142687== NVPROF is profiling process 142687, command: /usr/local/cuda/extras/demo_suite/vectorAdd
Copy input data from the host memory to the CUDA device
CUDA kernel launch with 196 blocks of 256 threads
==142687== Some kernel(s) will be replayed on device 0 in order to collect all events/metrics.
Replaying kernel "vectorAdd(float const *, float const *, float*, int)" (done)
Copy output data from the CUDA device to the host memory
Test PASSED
Done
==142687== Generated result file: /home/agostini/Development/nvprof/output-detailed.nvvp

Why it is not enough to grant the capabilities to the executable and have super user to run the application without sudo. Is PAM setup really needed even for a user in the sudo group?

I am trying to understand POSIX Capabilities. Sometimes, when reading the documentation they refer to file capabilities and sometimes to process capabilities. What is the difference between file and process capabilities. What I understood is we assign capability to an executable by using setcap and then when it is running which is a process it will use that capabilities. Why additional process capabilities, as process is executable file in memory.

A quick question: I am not able to find much info to run setcap on rhel5 . I searched few packages in my system # yum install libcap Loaded plugins: product-id, security, subscription-manager Updating Red Hat repositories. Setting up Install Process Package libcap-1.10-26.x86_64 already installed and latest version Package libcap-1.10-26.i386 already installed and latest version Nothing to do I also searched binary find / -name setcap but it is saying there is no setcap command .

I learned from [here](http://unixetc.co.uk/2016/05/30/linux-capabilities-and-ping/) that there's 2 ways to control privileged activities: setuid and capability. But when I'm playing around with ping on my machine, it seems that it can bypass these 2 mechanism. First, confirm that on my machine /usr/bin/ping has cap_net_raw capability and it use SOCK_RAW:

$ ll /usr/bin/ping
-rwxr-xr-x 1 root root 72K Jan 31  2020 /usr/bin/ping

$ getcap /usr/bin/ping
/usr/bin/ping = cap_net_raw+ep

$ strace -e socket ping 
socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_ROUTE) = 5

Copying the binary will drop the capability but it still works:

$ cp /usr/bin/ping ~

$ ll ~/ping
-rwxr-xr-x 1 user user 72K Nov  4 16:54 /home/user/ping

$ getcap ~/ping
[empty result]

$ ~/ping 
[it works]

I'm using Ubuntu 20.04 and 5.4.0-52-generic.

I'm trying to run wifi-menu on arch as non-root. No setcap i've tried works. [root@lilegg johny]# setcap CAP_NET_ADMIN,CAP_SYS_ADMIN,CAP_NET_RAW,CAP_DAC_OVERRIDE=eip /usr/bin/wifi-menu [root@lilegg johny]# exit exit [johny@lilegg ~]$ wifi-menu wifi-menu needs root privileges What's my mistake?

I want to run a one-time web server on port 80, which I will never run again. Is there something like 'sudo' that gives only temporary CAP_NET_BIND_SERVICE, not real root, to a process? So that we don't have to use chmod or setcap.

Using setcap to give additional permissions to a binary should write the new permission somewhere, on storage or in memory, where is it stored ? Using lsof as is doesn't work because the process disappear too quickly.

I've cross compiled an executable to run on Debian Stretch that requires a specific version of cURL (greater than 7.56) to run, and needs specific capabilities during execution. So on the executable I will run:

$ sudo setcap cap_net_raw,cap_net_admin+eip my_executable

After running this setcap, then running the executable, I will end up with the following error:

curl_easy_perform() failed: Out of memory

**NOTE** THIS ERROR IS EXPECTED DUE TO A BUG WITH EARLIER VERSIONS OF CURL. Hence why we need to upgrade to a cURL version above 7.56. In the case of the Raspberry Pi this is running on, the base version is 7.52, so my thought is that this is pointing to the older version of cURL despite the fact that I've updated the version of cURL in the system to be the latest release manually:

$ curl --version
curl 7.64.1 (armv7l-unknown-linux-gnueabihf) libcurl/7.64.1 OpenSSL/1.1.0j
Release-Date: 2019-03-27
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS HTTPS-proxy IPv6 Largefile NTLM NTLM_WB SSL TLS-SRP UnixSockets

What's going on here? Does setcap cause the executable to dynamically link libraries from somewhere besides the standard usr/bin and usr/local/bin?

I'm trying to start [BoringTun]() with setcap in order for it to run unprivileged but still have the ability to fmark:

root@67672793823c:/# setcap cap_net_admin+epi /usr/local/sbin/boringtun --foreground wgnet0
fatal error: Invalid argument
usage: setcap [-q] [-v] (-r|-|)  [ ... (-r|-|)  ]

 Note  must be a regular (non-symlink) file.

The man page doesn't seem very helpful and I can't find an option which will allow me to execute a binary with arbitrary arguments. If I remove the arguments, everything works, but I need to pass these arguments.

I need to create a network bridge with 'brctl addbr br-lan' command in a sh script without using sudo. I have a script like; brctl addbr br-lan ifconfig lo up I have tried to set capabilities to my script with sudo ./setcap cap_net_raw,cap_net_admin,cap_dac_override+eip ./myscript.sh But it didn't change anything. To call './myscript.sh' returns the following output; add bridge failed: Operation not permitted SIOCSIFFLAGS: Operation not permitted What should I do to run my script without root rights or which capabilities should I define to my script? Tx.

Right now I'm using cap_net_bind_service MY_USERNAME in /etc/security/capability.conf. Now I just need to set cap_net_bind_service+i on the interpreter of my favorite scripting language to be able to add CAP_NET_BIND_SERVICE to the *effective* set via libcap[-ng]. This works fine, but I wonder if there's a way to achieve the same thing without setting any caps to the interpreter binary. While it's not a big problem (other user accounts don't have the cap so they can't use it even with the bit set on the interpreter binary) it's somewhat annoying since I have to re-set the flag every time the interpreter is updated.

I'm starting a webserver as non-root using a *systemd* unit file. I am getting listen tcp :80: bind: permission denied even though I already ran setcap cap_net_bind_service=+ep on the executable. In an example unit file on the internet I found CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE to be used in the unit file. So I tried that out, and suddenly the application can bind port 80. What does that tell me? setcap is old/deprecated/ignored? Only by *systemd* or by Linux in general?