On Sunday, 21-07-2024 at 07:57 daggs wrote: > Greetings, > > I have bookworm installation where I want to allow a group of users to run a specific binary that needs to execute a ioctl which is not possible for normal users. > in comes pam+libcap. > so I've installed libcap, updated /etc/security/capability.conf with this line: cap_net_admin @igor > then I've moved the bin I've created to /usr/local/bin and defined this in /etc/pam.d: > $ cat /etc/pam.d/test1 > auth optional pam_cap.so
$ man auth No manual entry for auth Daggs, I do not have the Linux skills to help you, hopefully other do and can help you. I would ask if you could give a bit more detail, it may help others to help you. Is what you are trying to do, related to what this page is about? https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b George https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b https://man7.org/linux/man-pages/man3/libcap.3.html https://www.sciencedirect.com/topics/computer-science/libpcap-library This library is frequently used in network security tools for a variety of purposes including in network scanners and network monitoring software. https://manpages.ubuntu.com/manpages/focal/en/man5/capability.conf.5.html If any capability name or numeric value is invalid/unknown to the local system, the capabilities will be rejected, and the inheritable set will not be modified. https://unix.stackexchange.com/questions/74607/is-it-possible-to-specify-groups-in-etc-security-capability-conf my pet project is to replace the setuid on a lot of the binaries and provide access to additional privileged utilities to non-root users. > > now I'm trying to run test1 as user igor which is in the relevant group: > $ id igor > uid=1000(igor) gid=1000(igor) groups=1000(igor),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev) > > when I run it, I get this error: > $ test1 > Unable to create tap device: Operation not permitted > > what am I going wrong? > > Thanks > > Dagg > >