tech:notes_linux_capabilities_securite_caps_capsh_setcap
Ceci est une ancienne révision du document !
Table des matières
Notes Linux capabilities sécurité caps capsh setcap
Voir :
man 7 capabilities
capsh --print
$ dpkg -L libcap-ng-utils |grep 'bin/' /usr/bin/captest /usr/bin/filecap /usr/bin/netcap /usr/bin/pscap
Voir :
tcpdump permission pour non-root
Autoriser les utilisateur non-root à utiliser tcpdump
NOTE : il est aussi possible d'utiliser le sudoer
Source : https://askubuntu.com/questions/530920/tcpdump-permissions-problem
Add a capture group and add yourself to it:
sudo groupadd pcap sudo usermod -a -G pcap $USER
Next, change the group of tcpdump and set permissions:
sudo chgrp pcap /usr/sbin/tcpdump sudo chmod 750 /usr/sbin/tcpdump
Finally, use setcap to give tcpdump the necessary permissions:
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
Be careful, that this will allow everybody from the group pcap to manipulate network interfaces and read raw packets!
SyncThing - syncOwnership
Source : https://docs.syncthing.net/advanced/folder-sync-ownership
sudo chown root /usr/local/bin/syncthing sudo chmod 755 /usr/local/bin/syncthing sudo setcap CAP_CHOWN,CAP_FOWNER=pe /usr/local/bin/syncthing
Autres
nerdctl run -ti --rm --cap-drop=all docker.io/jess/amicontained /bin/sh
tech/notes_linux_capabilities_securite_caps_capsh_setcap.1759263410.txt.gz · Dernière modification : de Jean-Baptiste