Can capabilities be used in scripts without setcap'ing the interpreter binary?
Right now I'm using cap_net_bind_service MY_USERNAME
in /etc/security/capability.conf.
Now I just need to set cap_net_bind_service+i
on the interpreter of my favorite scripting language to be able to add CAP_NET_BIND_SERVICE
to the effective set via libcap[-ng].
This works fine, but I wonder if there's a way to achieve the same thing without setting any caps to the interpreter binary. While it's not a big problem (other user accounts don't have the cap so they can't use it even with the bit set on the interpreter binary) it's somewhat annoying since I have to re-set the flag every time the interpreter is updated.
linux scripting executable setcap capabilities
add a comment |
Right now I'm using cap_net_bind_service MY_USERNAME
in /etc/security/capability.conf.
Now I just need to set cap_net_bind_service+i
on the interpreter of my favorite scripting language to be able to add CAP_NET_BIND_SERVICE
to the effective set via libcap[-ng].
This works fine, but I wonder if there's a way to achieve the same thing without setting any caps to the interpreter binary. While it's not a big problem (other user accounts don't have the cap so they can't use it even with the bit set on the interpreter binary) it's somewhat annoying since I have to re-set the flag every time the interpreter is updated.
linux scripting executable setcap capabilities
add a comment |
Right now I'm using cap_net_bind_service MY_USERNAME
in /etc/security/capability.conf.
Now I just need to set cap_net_bind_service+i
on the interpreter of my favorite scripting language to be able to add CAP_NET_BIND_SERVICE
to the effective set via libcap[-ng].
This works fine, but I wonder if there's a way to achieve the same thing without setting any caps to the interpreter binary. While it's not a big problem (other user accounts don't have the cap so they can't use it even with the bit set on the interpreter binary) it's somewhat annoying since I have to re-set the flag every time the interpreter is updated.
linux scripting executable setcap capabilities
Right now I'm using cap_net_bind_service MY_USERNAME
in /etc/security/capability.conf.
Now I just need to set cap_net_bind_service+i
on the interpreter of my favorite scripting language to be able to add CAP_NET_BIND_SERVICE
to the effective set via libcap[-ng].
This works fine, but I wonder if there's a way to achieve the same thing without setting any caps to the interpreter binary. While it's not a big problem (other user accounts don't have the cap so they can't use it even with the bit set on the interpreter binary) it's somewhat annoying since I have to re-set the flag every time the interpreter is updated.
linux scripting executable setcap capabilities
linux scripting executable setcap capabilities
edited Feb 4 '18 at 17:09
Jeff Schaller
41.4k1056131
41.4k1056131
asked Sep 1 '12 at 19:37
ThiefMasterThiefMaster
82021223
82021223
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Usually, the capabilities are inherited to the children. As stated in the manpage :
A child created via fork(2) inherits copies of its parent's capability sets.
The issue with the scripts is they are not directly executables. The kernel goes through a list of checks (kernel code is located at fs/binfmt_*.c). One of them is "binfmt_script.c", that checks the first line for a shebang, then call the real interpreter (the one in the shebang) with your script as argument. As such, the standard/common interpreter is called, and simply reads your script as an argument.
This mean you'll have to set the capability on the interpreter, not on the script.
The same thing applies to suid
bits, and other special flags.
So either you make a copy of your interpreter, set the capabilities you want on it (also check that nobody can access it through chmod/chown), and call this copied interpreter in your shebang.
You also may do the setcap logic in your script.
Ok, didn't saw the question was asked 2 years ago but never closed... Also, seems like a duplicate of unix.stackexchange.com/questions/87348/…
– Adrien M.
Oct 24 '14 at 14:22
but onlyi
(inherit), gets past exec. Andi
does nothing on its own, it only works if the file has a matchingi
, and I thing thee
(effective) bit (unless the script/executable sets that). It is even more complex that setuid, this is not a script effect.
– ctrl-alt-delor
Apr 16 '15 at 14:17
1
I thought the shebang was read by the kernel not the shell? (stackoverflow.com/questions/3009192/how-does-the-shebang-work/…)
– Philip Couling
Jan 31 at 20:04
couling you're right. It was a misinterpretation I understood later. I've fixed it with hints on where the kernel code for scripts execution is located.
– Adrien M.
Feb 1 at 12:34
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f46919%2fcan-capabilities-be-used-in-scripts-without-setcaping-the-interpreter-binary%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Usually, the capabilities are inherited to the children. As stated in the manpage :
A child created via fork(2) inherits copies of its parent's capability sets.
The issue with the scripts is they are not directly executables. The kernel goes through a list of checks (kernel code is located at fs/binfmt_*.c). One of them is "binfmt_script.c", that checks the first line for a shebang, then call the real interpreter (the one in the shebang) with your script as argument. As such, the standard/common interpreter is called, and simply reads your script as an argument.
This mean you'll have to set the capability on the interpreter, not on the script.
The same thing applies to suid
bits, and other special flags.
So either you make a copy of your interpreter, set the capabilities you want on it (also check that nobody can access it through chmod/chown), and call this copied interpreter in your shebang.
You also may do the setcap logic in your script.
Ok, didn't saw the question was asked 2 years ago but never closed... Also, seems like a duplicate of unix.stackexchange.com/questions/87348/…
– Adrien M.
Oct 24 '14 at 14:22
but onlyi
(inherit), gets past exec. Andi
does nothing on its own, it only works if the file has a matchingi
, and I thing thee
(effective) bit (unless the script/executable sets that). It is even more complex that setuid, this is not a script effect.
– ctrl-alt-delor
Apr 16 '15 at 14:17
1
I thought the shebang was read by the kernel not the shell? (stackoverflow.com/questions/3009192/how-does-the-shebang-work/…)
– Philip Couling
Jan 31 at 20:04
couling you're right. It was a misinterpretation I understood later. I've fixed it with hints on where the kernel code for scripts execution is located.
– Adrien M.
Feb 1 at 12:34
add a comment |
Usually, the capabilities are inherited to the children. As stated in the manpage :
A child created via fork(2) inherits copies of its parent's capability sets.
The issue with the scripts is they are not directly executables. The kernel goes through a list of checks (kernel code is located at fs/binfmt_*.c). One of them is "binfmt_script.c", that checks the first line for a shebang, then call the real interpreter (the one in the shebang) with your script as argument. As such, the standard/common interpreter is called, and simply reads your script as an argument.
This mean you'll have to set the capability on the interpreter, not on the script.
The same thing applies to suid
bits, and other special flags.
So either you make a copy of your interpreter, set the capabilities you want on it (also check that nobody can access it through chmod/chown), and call this copied interpreter in your shebang.
You also may do the setcap logic in your script.
Ok, didn't saw the question was asked 2 years ago but never closed... Also, seems like a duplicate of unix.stackexchange.com/questions/87348/…
– Adrien M.
Oct 24 '14 at 14:22
but onlyi
(inherit), gets past exec. Andi
does nothing on its own, it only works if the file has a matchingi
, and I thing thee
(effective) bit (unless the script/executable sets that). It is even more complex that setuid, this is not a script effect.
– ctrl-alt-delor
Apr 16 '15 at 14:17
1
I thought the shebang was read by the kernel not the shell? (stackoverflow.com/questions/3009192/how-does-the-shebang-work/…)
– Philip Couling
Jan 31 at 20:04
couling you're right. It was a misinterpretation I understood later. I've fixed it with hints on where the kernel code for scripts execution is located.
– Adrien M.
Feb 1 at 12:34
add a comment |
Usually, the capabilities are inherited to the children. As stated in the manpage :
A child created via fork(2) inherits copies of its parent's capability sets.
The issue with the scripts is they are not directly executables. The kernel goes through a list of checks (kernel code is located at fs/binfmt_*.c). One of them is "binfmt_script.c", that checks the first line for a shebang, then call the real interpreter (the one in the shebang) with your script as argument. As such, the standard/common interpreter is called, and simply reads your script as an argument.
This mean you'll have to set the capability on the interpreter, not on the script.
The same thing applies to suid
bits, and other special flags.
So either you make a copy of your interpreter, set the capabilities you want on it (also check that nobody can access it through chmod/chown), and call this copied interpreter in your shebang.
You also may do the setcap logic in your script.
Usually, the capabilities are inherited to the children. As stated in the manpage :
A child created via fork(2) inherits copies of its parent's capability sets.
The issue with the scripts is they are not directly executables. The kernel goes through a list of checks (kernel code is located at fs/binfmt_*.c). One of them is "binfmt_script.c", that checks the first line for a shebang, then call the real interpreter (the one in the shebang) with your script as argument. As such, the standard/common interpreter is called, and simply reads your script as an argument.
This mean you'll have to set the capability on the interpreter, not on the script.
The same thing applies to suid
bits, and other special flags.
So either you make a copy of your interpreter, set the capabilities you want on it (also check that nobody can access it through chmod/chown), and call this copied interpreter in your shebang.
You also may do the setcap logic in your script.
edited Feb 1 at 12:33
answered Oct 24 '14 at 14:19
Adrien M.Adrien M.
2,4061115
2,4061115
Ok, didn't saw the question was asked 2 years ago but never closed... Also, seems like a duplicate of unix.stackexchange.com/questions/87348/…
– Adrien M.
Oct 24 '14 at 14:22
but onlyi
(inherit), gets past exec. Andi
does nothing on its own, it only works if the file has a matchingi
, and I thing thee
(effective) bit (unless the script/executable sets that). It is even more complex that setuid, this is not a script effect.
– ctrl-alt-delor
Apr 16 '15 at 14:17
1
I thought the shebang was read by the kernel not the shell? (stackoverflow.com/questions/3009192/how-does-the-shebang-work/…)
– Philip Couling
Jan 31 at 20:04
couling you're right. It was a misinterpretation I understood later. I've fixed it with hints on where the kernel code for scripts execution is located.
– Adrien M.
Feb 1 at 12:34
add a comment |
Ok, didn't saw the question was asked 2 years ago but never closed... Also, seems like a duplicate of unix.stackexchange.com/questions/87348/…
– Adrien M.
Oct 24 '14 at 14:22
but onlyi
(inherit), gets past exec. Andi
does nothing on its own, it only works if the file has a matchingi
, and I thing thee
(effective) bit (unless the script/executable sets that). It is even more complex that setuid, this is not a script effect.
– ctrl-alt-delor
Apr 16 '15 at 14:17
1
I thought the shebang was read by the kernel not the shell? (stackoverflow.com/questions/3009192/how-does-the-shebang-work/…)
– Philip Couling
Jan 31 at 20:04
couling you're right. It was a misinterpretation I understood later. I've fixed it with hints on where the kernel code for scripts execution is located.
– Adrien M.
Feb 1 at 12:34
Ok, didn't saw the question was asked 2 years ago but never closed... Also, seems like a duplicate of unix.stackexchange.com/questions/87348/…
– Adrien M.
Oct 24 '14 at 14:22
Ok, didn't saw the question was asked 2 years ago but never closed... Also, seems like a duplicate of unix.stackexchange.com/questions/87348/…
– Adrien M.
Oct 24 '14 at 14:22
but only
i
(inherit), gets past exec. And i
does nothing on its own, it only works if the file has a matching i
, and I thing the e
(effective) bit (unless the script/executable sets that). It is even more complex that setuid, this is not a script effect.– ctrl-alt-delor
Apr 16 '15 at 14:17
but only
i
(inherit), gets past exec. And i
does nothing on its own, it only works if the file has a matching i
, and I thing the e
(effective) bit (unless the script/executable sets that). It is even more complex that setuid, this is not a script effect.– ctrl-alt-delor
Apr 16 '15 at 14:17
1
1
I thought the shebang was read by the kernel not the shell? (stackoverflow.com/questions/3009192/how-does-the-shebang-work/…)
– Philip Couling
Jan 31 at 20:04
I thought the shebang was read by the kernel not the shell? (stackoverflow.com/questions/3009192/how-does-the-shebang-work/…)
– Philip Couling
Jan 31 at 20:04
couling you're right. It was a misinterpretation I understood later. I've fixed it with hints on where the kernel code for scripts execution is located.
– Adrien M.
Feb 1 at 12:34
couling you're right. It was a misinterpretation I understood later. I've fixed it with hints on where the kernel code for scripts execution is located.
– Adrien M.
Feb 1 at 12:34
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f46919%2fcan-capabilities-be-used-in-scripts-without-setcaping-the-interpreter-binary%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown