Page 1 of 1

Capabilities on a user

Posted: 2021/03/25 12:29:10
by MartinR
I have a backup application which needs to run with CAP_DAC_READ_SEARCH. It's not a binary, but a script and so I can't attach the capability to the file, instead it needs to be given to the particular user. Historically many backup scripts were run under root, but I would prefer to use a more nuanced approach. When I used to run a VMS system it was easy to set the READALL privilege on a particular account for this purpose, can I do the same with capabilities? Failing that, I suppose that sudo would be the way forward.

Thanks.

Re: Capabilities on a user

Posted: 2021/04/06 17:51:26
by aks
"... I can't attach the capability to the file ..."
Eh, you can't use setcap to set the file's capabilities?

I guess the capability you're looking for is DAC_OVERRIDE.

(Or maybe I've missed all points completely).

Re: Capabilities on a user

Posted: 2021/04/06 21:46:37
by MartinR
Are capabilities inherited by required files, functions and subshells? Anyhow, I've gone down the sudo route and added:

Code: Select all

...
Cmnd_Alias BACKUPS = /sbin/xfsdump, /sbin/dump, /bin/cpio, /bin/tar
...
BACKUP_USERS ALL=NOPASSWD: BACKUPS
...
as a file in /etc/sudoers on each node which seems to do the trick.