Greetings, I'm trying to allow a specific group the ability to run virsh with cap_net_admin capabilities. I've installed libcap2-bin and cap_pam, added user foo to libvirt-qemu, see: uid=1001(foo) gid=1001(foo) groups=1001(foo),103(kvm),108(netdev),109(libvirt),64055(libvirt-qemu)
next, I've configured libvirt-qemu group with cap_net_admin cap in /etc/security/capability.conf, see: # # /etc/security/capability.conf # # this is a sample capability file (to be used in conjunction with # the pam_cap.so module) # # In order to use this module, it must have been linked with libcap # and thus you'll know about Linux's capability support. # [If you don't know about libcap, read more about it here: # # https://sites.google.com/site/fullycapable/ # # There is a page devoted to pam_cap.so here: # # https://sites.google.com/site/fullycapable/pam_cap-so # # .] # # Here are some sample lines (remove the preceding '#' if you want to # use them. # # The pam_cap.so module accepts the following arguments: # # debug - be more verbose logging things (unused by pam_cap for now) # config=<file> - override the default config for the module with file # keepcaps - workaround for applications that setuid without this # autoauth - if you want pam_cap.so to always succeed for the auth phase # default=<iab> - provide a fallback IAB value if there is no '*' rule ## user 'morgan' gets the CAP_SETFCAP inheritable capability (commented out!) #cap_setfcap morgan ## user 'luser' inherits the CAP_DAC_OVERRIDE capability (commented out!) #cap_dac_override luser cap_net_admin @libvirt-qemu ## 'everyone else' gets no inheritable capabilities (restrictive config) none * ## if there is no '*' entry, and no "default=<iab>" pam_cap.so module ## argument to fallback on, all users not explicitly mentioned will ## get all currently available inheritable capabilities. This is a ## permissive default, and possibly not what you want... On first ## reading, you might think this is a security problem waiting to ## happen, but it defaults to not being so in this sample file! ## Further, by 'get', we mean 'get in their IAB sets'. That is, if you ## look at a random process, even one run by root, you will see it has ## no IAB capabilities (by default): ## ## $ /sbin/capsh --decode=$(grep CapInh /proc/1/status|awk '{print $2}') ## 0000000000000000= ## ## The pam_cap module simply alters the value of the inheritable ## capability vactors (IAB). Including the 'none *' forces use of this ## module with an unspecified user to have their inheritable set ## forced to zero. ## ## Omitting the line will cause the inheritable set to be unmodified ## from what the parent process had (which is generally 0 unless the ## invoking user was bestowed with some inheritable capabilities by a ## previous invocation). created /etc/pam.d/virsh with this content: auth required pam_cap.so and set the caps on /usr/bin/virsh as follows: /usr/bin/virsh cap_net_admin=eip now I run virsh and break it with ^Z, getting the pid and running /sbin/capsh --decode=$(grep CapInh /proc/743/status | awk '{print $2}') and I get this: 0x0000000000000000= e.g. no permissions.... what am I doing wrong? Thanks, Dagg
