Can capabilities be used in scripts without setcap'ing the interpreter binary?












13















Right now I'm using cap_net_bind_service MY_USERNAME in /etc/security/capability.conf.

Now I just need to set cap_net_bind_service+i on the interpreter of my favorite scripting language to be able to add CAP_NET_BIND_SERVICE to the effective set via libcap[-ng].



This works fine, but I wonder if there's a way to achieve the same thing without setting any caps to the interpreter binary. While it's not a big problem (other user accounts don't have the cap so they can't use it even with the bit set on the interpreter binary) it's somewhat annoying since I have to re-set the flag every time the interpreter is updated.










share|improve this question





























    13















    Right now I'm using cap_net_bind_service MY_USERNAME in /etc/security/capability.conf.

    Now I just need to set cap_net_bind_service+i on the interpreter of my favorite scripting language to be able to add CAP_NET_BIND_SERVICE to the effective set via libcap[-ng].



    This works fine, but I wonder if there's a way to achieve the same thing without setting any caps to the interpreter binary. While it's not a big problem (other user accounts don't have the cap so they can't use it even with the bit set on the interpreter binary) it's somewhat annoying since I have to re-set the flag every time the interpreter is updated.










    share|improve this question



























      13












      13








      13


      1






      Right now I'm using cap_net_bind_service MY_USERNAME in /etc/security/capability.conf.

      Now I just need to set cap_net_bind_service+i on the interpreter of my favorite scripting language to be able to add CAP_NET_BIND_SERVICE to the effective set via libcap[-ng].



      This works fine, but I wonder if there's a way to achieve the same thing without setting any caps to the interpreter binary. While it's not a big problem (other user accounts don't have the cap so they can't use it even with the bit set on the interpreter binary) it's somewhat annoying since I have to re-set the flag every time the interpreter is updated.










      share|improve this question
















      Right now I'm using cap_net_bind_service MY_USERNAME in /etc/security/capability.conf.

      Now I just need to set cap_net_bind_service+i on the interpreter of my favorite scripting language to be able to add CAP_NET_BIND_SERVICE to the effective set via libcap[-ng].



      This works fine, but I wonder if there's a way to achieve the same thing without setting any caps to the interpreter binary. While it's not a big problem (other user accounts don't have the cap so they can't use it even with the bit set on the interpreter binary) it's somewhat annoying since I have to re-set the flag every time the interpreter is updated.







      linux scripting executable setcap capabilities






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Feb 4 '18 at 17:09









      Jeff Schaller

      41.4k1056131




      41.4k1056131










      asked Sep 1 '12 at 19:37









      ThiefMasterThiefMaster

      82021223




      82021223






















          1 Answer
          1






          active

          oldest

          votes


















          2














          Usually, the capabilities are inherited to the children. As stated in the manpage :




          A child created via fork(2) inherits copies of its parent's capability sets.




          The issue with the scripts is they are not directly executables. The kernel goes through a list of checks (kernel code is located at fs/binfmt_*.c). One of them is "binfmt_script.c", that checks the first line for a shebang, then call the real interpreter (the one in the shebang) with your script as argument. As such, the standard/common interpreter is called, and simply reads your script as an argument.



          This mean you'll have to set the capability on the interpreter, not on the script.
          The same thing applies to suid bits, and other special flags.



          So either you make a copy of your interpreter, set the capabilities you want on it (also check that nobody can access it through chmod/chown), and call this copied interpreter in your shebang.
          You also may do the setcap logic in your script.






          share|improve this answer


























          • Ok, didn't saw the question was asked 2 years ago but never closed... Also, seems like a duplicate of unix.stackexchange.com/questions/87348/…

            – Adrien M.
            Oct 24 '14 at 14:22











          • but only i (inherit), gets past exec. And i does nothing on its own, it only works if the file has a matching i, and I thing the e (effective) bit (unless the script/executable sets that). It is even more complex that setuid, this is not a script effect.

            – ctrl-alt-delor
            Apr 16 '15 at 14:17






          • 1





            I thought the shebang was read by the kernel not the shell? (stackoverflow.com/questions/3009192/how-does-the-shebang-work/…)

            – Philip Couling
            Jan 31 at 20:04











          • couling you're right. It was a misinterpretation I understood later. I've fixed it with hints on where the kernel code for scripts execution is located.

            – Adrien M.
            Feb 1 at 12:34











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "106"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f46919%2fcan-capabilities-be-used-in-scripts-without-setcaping-the-interpreter-binary%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          2














          Usually, the capabilities are inherited to the children. As stated in the manpage :




          A child created via fork(2) inherits copies of its parent's capability sets.




          The issue with the scripts is they are not directly executables. The kernel goes through a list of checks (kernel code is located at fs/binfmt_*.c). One of them is "binfmt_script.c", that checks the first line for a shebang, then call the real interpreter (the one in the shebang) with your script as argument. As such, the standard/common interpreter is called, and simply reads your script as an argument.



          This mean you'll have to set the capability on the interpreter, not on the script.
          The same thing applies to suid bits, and other special flags.



          So either you make a copy of your interpreter, set the capabilities you want on it (also check that nobody can access it through chmod/chown), and call this copied interpreter in your shebang.
          You also may do the setcap logic in your script.






          share|improve this answer


























          • Ok, didn't saw the question was asked 2 years ago but never closed... Also, seems like a duplicate of unix.stackexchange.com/questions/87348/…

            – Adrien M.
            Oct 24 '14 at 14:22











          • but only i (inherit), gets past exec. And i does nothing on its own, it only works if the file has a matching i, and I thing the e (effective) bit (unless the script/executable sets that). It is even more complex that setuid, this is not a script effect.

            – ctrl-alt-delor
            Apr 16 '15 at 14:17






          • 1





            I thought the shebang was read by the kernel not the shell? (stackoverflow.com/questions/3009192/how-does-the-shebang-work/…)

            – Philip Couling
            Jan 31 at 20:04











          • couling you're right. It was a misinterpretation I understood later. I've fixed it with hints on where the kernel code for scripts execution is located.

            – Adrien M.
            Feb 1 at 12:34
















          2














          Usually, the capabilities are inherited to the children. As stated in the manpage :




          A child created via fork(2) inherits copies of its parent's capability sets.




          The issue with the scripts is they are not directly executables. The kernel goes through a list of checks (kernel code is located at fs/binfmt_*.c). One of them is "binfmt_script.c", that checks the first line for a shebang, then call the real interpreter (the one in the shebang) with your script as argument. As such, the standard/common interpreter is called, and simply reads your script as an argument.



          This mean you'll have to set the capability on the interpreter, not on the script.
          The same thing applies to suid bits, and other special flags.



          So either you make a copy of your interpreter, set the capabilities you want on it (also check that nobody can access it through chmod/chown), and call this copied interpreter in your shebang.
          You also may do the setcap logic in your script.






          share|improve this answer


























          • Ok, didn't saw the question was asked 2 years ago but never closed... Also, seems like a duplicate of unix.stackexchange.com/questions/87348/…

            – Adrien M.
            Oct 24 '14 at 14:22











          • but only i (inherit), gets past exec. And i does nothing on its own, it only works if the file has a matching i, and I thing the e (effective) bit (unless the script/executable sets that). It is even more complex that setuid, this is not a script effect.

            – ctrl-alt-delor
            Apr 16 '15 at 14:17






          • 1





            I thought the shebang was read by the kernel not the shell? (stackoverflow.com/questions/3009192/how-does-the-shebang-work/…)

            – Philip Couling
            Jan 31 at 20:04











          • couling you're right. It was a misinterpretation I understood later. I've fixed it with hints on where the kernel code for scripts execution is located.

            – Adrien M.
            Feb 1 at 12:34














          2












          2








          2







          Usually, the capabilities are inherited to the children. As stated in the manpage :




          A child created via fork(2) inherits copies of its parent's capability sets.




          The issue with the scripts is they are not directly executables. The kernel goes through a list of checks (kernel code is located at fs/binfmt_*.c). One of them is "binfmt_script.c", that checks the first line for a shebang, then call the real interpreter (the one in the shebang) with your script as argument. As such, the standard/common interpreter is called, and simply reads your script as an argument.



          This mean you'll have to set the capability on the interpreter, not on the script.
          The same thing applies to suid bits, and other special flags.



          So either you make a copy of your interpreter, set the capabilities you want on it (also check that nobody can access it through chmod/chown), and call this copied interpreter in your shebang.
          You also may do the setcap logic in your script.






          share|improve this answer















          Usually, the capabilities are inherited to the children. As stated in the manpage :




          A child created via fork(2) inherits copies of its parent's capability sets.




          The issue with the scripts is they are not directly executables. The kernel goes through a list of checks (kernel code is located at fs/binfmt_*.c). One of them is "binfmt_script.c", that checks the first line for a shebang, then call the real interpreter (the one in the shebang) with your script as argument. As such, the standard/common interpreter is called, and simply reads your script as an argument.



          This mean you'll have to set the capability on the interpreter, not on the script.
          The same thing applies to suid bits, and other special flags.



          So either you make a copy of your interpreter, set the capabilities you want on it (also check that nobody can access it through chmod/chown), and call this copied interpreter in your shebang.
          You also may do the setcap logic in your script.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Feb 1 at 12:33

























          answered Oct 24 '14 at 14:19









          Adrien M.Adrien M.

          2,4061115




          2,4061115













          • Ok, didn't saw the question was asked 2 years ago but never closed... Also, seems like a duplicate of unix.stackexchange.com/questions/87348/…

            – Adrien M.
            Oct 24 '14 at 14:22











          • but only i (inherit), gets past exec. And i does nothing on its own, it only works if the file has a matching i, and I thing the e (effective) bit (unless the script/executable sets that). It is even more complex that setuid, this is not a script effect.

            – ctrl-alt-delor
            Apr 16 '15 at 14:17






          • 1





            I thought the shebang was read by the kernel not the shell? (stackoverflow.com/questions/3009192/how-does-the-shebang-work/…)

            – Philip Couling
            Jan 31 at 20:04











          • couling you're right. It was a misinterpretation I understood later. I've fixed it with hints on where the kernel code for scripts execution is located.

            – Adrien M.
            Feb 1 at 12:34



















          • Ok, didn't saw the question was asked 2 years ago but never closed... Also, seems like a duplicate of unix.stackexchange.com/questions/87348/…

            – Adrien M.
            Oct 24 '14 at 14:22











          • but only i (inherit), gets past exec. And i does nothing on its own, it only works if the file has a matching i, and I thing the e (effective) bit (unless the script/executable sets that). It is even more complex that setuid, this is not a script effect.

            – ctrl-alt-delor
            Apr 16 '15 at 14:17






          • 1





            I thought the shebang was read by the kernel not the shell? (stackoverflow.com/questions/3009192/how-does-the-shebang-work/…)

            – Philip Couling
            Jan 31 at 20:04











          • couling you're right. It was a misinterpretation I understood later. I've fixed it with hints on where the kernel code for scripts execution is located.

            – Adrien M.
            Feb 1 at 12:34

















          Ok, didn't saw the question was asked 2 years ago but never closed... Also, seems like a duplicate of unix.stackexchange.com/questions/87348/…

          – Adrien M.
          Oct 24 '14 at 14:22





          Ok, didn't saw the question was asked 2 years ago but never closed... Also, seems like a duplicate of unix.stackexchange.com/questions/87348/…

          – Adrien M.
          Oct 24 '14 at 14:22













          but only i (inherit), gets past exec. And i does nothing on its own, it only works if the file has a matching i, and I thing the e (effective) bit (unless the script/executable sets that). It is even more complex that setuid, this is not a script effect.

          – ctrl-alt-delor
          Apr 16 '15 at 14:17





          but only i (inherit), gets past exec. And i does nothing on its own, it only works if the file has a matching i, and I thing the e (effective) bit (unless the script/executable sets that). It is even more complex that setuid, this is not a script effect.

          – ctrl-alt-delor
          Apr 16 '15 at 14:17




          1




          1





          I thought the shebang was read by the kernel not the shell? (stackoverflow.com/questions/3009192/how-does-the-shebang-work/…)

          – Philip Couling
          Jan 31 at 20:04





          I thought the shebang was read by the kernel not the shell? (stackoverflow.com/questions/3009192/how-does-the-shebang-work/…)

          – Philip Couling
          Jan 31 at 20:04













          couling you're right. It was a misinterpretation I understood later. I've fixed it with hints on where the kernel code for scripts execution is located.

          – Adrien M.
          Feb 1 at 12:34





          couling you're right. It was a misinterpretation I understood later. I've fixed it with hints on where the kernel code for scripts execution is located.

          – Adrien M.
          Feb 1 at 12:34


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f46919%2fcan-capabilities-be-used-in-scripts-without-setcaping-the-interpreter-binary%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          How to make a Squid Proxy server?

          Is this a new Fibonacci Identity?

          19世紀