Capabilities on a user

Support for security such as Firewalls and securing linux
Post Reply
MartinR
Posts: 714
Joined: 2015/05/11 07:53:27
Location: UK

Capabilities on a user

Post by MartinR » 2021/03/25 12:29:10

I have a backup application which needs to run with CAP_DAC_READ_SEARCH. It's not a binary, but a script and so I can't attach the capability to the file, instead it needs to be given to the particular user. Historically many backup scripts were run under root, but I would prefer to use a more nuanced approach. When I used to run a VMS system it was easy to set the READALL privilege on a particular account for this purpose, can I do the same with capabilities? Failing that, I suppose that sudo would be the way forward.

Thanks.

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: Capabilities on a user

Post by aks » 2021/04/06 17:51:26

"... I can't attach the capability to the file ..."
Eh, you can't use setcap to set the file's capabilities?

I guess the capability you're looking for is DAC_OVERRIDE.

(Or maybe I've missed all points completely).

MartinR
Posts: 714
Joined: 2015/05/11 07:53:27
Location: UK

Re: Capabilities on a user

Post by MartinR » 2021/04/06 21:46:37

Are capabilities inherited by required files, functions and subshells? Anyhow, I've gone down the sudo route and added:

Code: Select all

...
Cmnd_Alias BACKUPS = /sbin/xfsdump, /sbin/dump, /bin/cpio, /bin/tar
...
BACKUP_USERS ALL=NOPASSWD: BACKUPS
...
as a file in /etc/sudoers on each node which seems to do the trick.

Post Reply