Support for security such as Firewalls and securing linux
3 posts • Page 1 of 1
I have a backup application which needs to run with CAP_DAC_READ_SEARCH. It's not a binary, but a script and so I can't attach the capability to the file, instead it needs to be given to the particular user. Historically many backup scripts were run under root, but I would prefer to use a more nuanced approach. When I used to run a VMS system it was easy to set the READALL privilege on a particular account for this purpose, can I do the same with capabilities? Failing that, I suppose that sudo would be the way forward.
Are capabilities inherited by required files, functions and subshells? Anyhow, I've gone down the sudo route and added:
as a file in /etc/sudoers on each node which seems to do the trick.
Code: Select all
... Cmnd_Alias BACKUPS = /sbin/xfsdump, /sbin/dump, /bin/cpio, /bin/tar ... BACKUP_USERS ALL=NOPASSWD: BACKUPS ...