I have a backup application which needs to run with CAP_DAC_READ_SEARCH. It's not a binary, but a script and so I can't attach the capability to the file, instead it needs to be given to the particular user. Historically many backup scripts were run under root, but I would prefer to use a more nuanced approach. When I used to run a VMS system it was easy to set the READALL privilege on a particular account for this purpose, can I do the same with capabilities? Failing that, I suppose that sudo would be the way forward.
Thanks.
Capabilities on a user
Re: Capabilities on a user
"... I can't attach the capability to the file ..."
Eh, you can't use setcap to set the file's capabilities?
I guess the capability you're looking for is DAC_OVERRIDE.
(Or maybe I've missed all points completely).
Eh, you can't use setcap to set the file's capabilities?
I guess the capability you're looking for is DAC_OVERRIDE.
(Or maybe I've missed all points completely).
Re: Capabilities on a user
Are capabilities inherited by required files, functions and subshells? Anyhow, I've gone down the sudo route and added:as a file in /etc/sudoers on each node which seems to do the trick.
Code: Select all
...
Cmnd_Alias BACKUPS = /sbin/xfsdump, /sbin/dump, /bin/cpio, /bin/tar
...
BACKUP_USERS ALL=NOPASSWD: BACKUPS
...