Greetings George,
>Sent: Sunday, July 21, 2024 at 4:00 AM >From: "George at Clug" <c...@goproject.info> >To: debian-user@lists.debian.org >Subject: Re: pam and pam-cap don't play along >On Sunday, 21-07-2024 at 07:57 daggs wrote: >> Greetings, >> >> I have bookworm installation where I want to allow a group of users to run a >> specific binary that needs to execute a ioctl which is not possible for >> normal users. >> in comes pam+libcap. >> so I've installed libcap, updated /etc/security/capability.conf with this >> line: cap_net_admin @igor >> then I've moved the bin I've created to /usr/local/bin and defined this in >> /etc/pam.d: >> $ cat /etc/pam.d/test1 >> auth optional pam_cap.so > >$ man auth >No manual entry for auth > >Daggs, > >I do not have the Linux skills to help you, hopefully other do and can help >you. > >I would ask if you could give a bit more detail, it may help others to help >you. > >Is what you are trying to do, related to what this page is about? >https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b > >George yes, this looks like what I'm trying to do, I'll look into it, thanks for the link. what I need to do is to allow virsh the ability to create tap interfaces when starting a vm in a session scope rather than a system scope. I just tried to minimize the test case. Thanks, Dagg > >https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b[https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b] > >https://man7.org/linux/man-pages/man3/libcap.3.html > >https://www.sciencedirect.com/topics/computer-science/libpcap-library >This library is frequently used in network security tools for a variety of >purposes including in network scanners and network monitoring software. > >https://manpages.ubuntu.com/manpages/focal/en/man5/capability.conf.5.html[https://manpages.ubuntu.com/manpages/focal/en/man5/capability.conf.5.html] > If any capability name or numeric value is invalid/unknown to the local >system, the > capabilities will be rejected, and the inheritable set will not be >modified. > >https://unix.stackexchange.com/questions/74607/is-it-possible-to-specify-groups-in-etc-security-capability-conf[https://unix.stackexchange.com/questions/74607/is-it-possible-to-specify-groups-in-etc-security-capability-conf] >my pet project is to replace the setuid on a lot of the binaries and provide >access to additional privileged utilities to non-root users. > >> >> now I'm trying to run test1 as user igor which is in the relevant group: >> $ id igor >> uid=1000(igor) gid=1000(igor) >> groups=1000(igor),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev) >> >> when I run it, I get this error: >> $ test1 >> Unable to create tap device: Operation not permitted >> >> what am I going wrong? >> >> Thanks >> >> Dagg >> >>
