Add support for Linux capabilities#458
Conversation
troglobit
left a comment
troglobit
left a comment
There was a problem hiding this comment.
Minor comment, so far this looks great! 💯 Really looking forward to reading the documentation so I might actually learn capabilities, finally 😅
aanderse
force-pushed
the
master
branch
3 times, most recently
from
54ab7dd to
30e69be
Compare
Implement Linux capability support for services, allowing them to run with minimal required privileges instead of running as root. This uses the modern IAB (Inheritable, Ambient, Bounding) API from libcap.
|
my friend |
|
i tested some services and everything worked as expected @troglobit is there anything else you would like me to add or change before i mark this as ready for review? |
Cool!
Nope, if you're happy and feel ready then please go ahead 😊 |
A user reports inability to re-start getty on the console after logging out from a serial console. After some digging it was found that the tty was owned by the last user logged in and 600. Even thougn getty runs as root, it did not have permission to re-open the device node. Turns out there was a minor bug in the new capability code that cleared all capabilities from the root user. A surprising amount of programs worked just fine, but restarting getty gave it away. The fix is to only call cap_setuid() when capabilities are set for the service, otherwise we just fall back to setuid(). Also, refactor service_register() wrt. capabilities a bit so that we can give users an early warning if the configuration is invalid, by adding a parse_caps() helper function that calls cap_iab_from_text() to verify. Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
|
@aanderse I just pushed a few follow-up commits to this:
Could you have a look so it doesn't break your use-cases? |
|
i'm so sorry for the hassle @troglobit - i am very confused how none of my daemons running as the documentation and code changes make sense to me. i will give these changes a test today and report back. thank you! |
Absolutely no problem, mate! I'm not entirely sure why the
Sounds good, and thanks a lot for taking the time to dig into this, update the docs, and actually test it. I really appreciate the effort you put into this, and any feedback you can give now 👍 |
|
i tested this on my home server which makes use of thanks again @troglobit 🙇♂️ |
Awesome, that's great news!
Thank you for testing! 🙏 |
2 participants
Implement Linux capability support for services, allowing them to run with minimal required privileges instead of running as root. This uses the modern IAB (Inheritable, Ambient, Bounding) API from libcap.
resolves #454
my motivation for this feature: i recently installed
finiton my home server which runscaddyas a web servercap_net_bind_servicewould be very helpful here