Re: pam and pam-cap don't play along

To: George at Clug <Clug@goproject.info>
Cc: debian-user@lists.debian.org
Subject: Re: pam and pam-cap don't play along
From: daggs <daggs@gmx.com>
Date: Sun, 21 Jul 2024 09:01:23 +0200
Message-id: <[🔎] trinity-f85b1eb7-434d-4f27-a811-b57440ef971e-1721545283359@3c-app-mailcom-bs16>
In-reply-to: <[🔎] c146cba7521680087e1d23dd1f5d7791@go.goproject.info>
References: <[🔎] c146cba7521680087e1d23dd1f5d7791@go.goproject.info>

Greetings George,

>Sent: Sunday, July 21, 2024 at 4:00 AM
>From: "George at Clug" <Clug@goproject.info>
>To: debian-user@lists.debian.org
>Subject: Re: pam and pam-cap don't play along
>On Sunday, 21-07-2024 at 07:57 daggs wrote:
>> Greetings,
>>
>> I have bookworm installation where I want to allow a group of users to run a specific binary that needs to execute a ioctl which is not possible for normal users.
>> in comes pam+libcap.
>> so I've installed libcap, updated /etc/security/capability.conf with this line: cap_net_admin   @igor
>> then I've moved the bin I've created to /usr/local/bin and defined this in /etc/pam.d:
>> $ cat /etc/pam.d/test1
>> auth optional pam_cap.so
>
>$ man auth
>No manual entry for auth
>
>Daggs,
>
>I do not have the Linux skills to help you, hopefully other do and can help you.
>
>I would ask if you could give a bit more detail, it may help others to help you.
>
>Is what you are trying to do, related to what this page is about?
>https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b
>
>George

yes, this looks like what I'm trying to do, I'll look into it, thanks for the link.
what I need to do is to allow virsh the ability to create tap interfaces when starting a vm in a session scope rather than a system scope.
I just tried to minimize the test case.

Thanks,

Dagg

>
>https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b[https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b]
>
>https://man7.org/linux/man-pages/man3/libcap.3.html
>
>https://www.sciencedirect.com/topics/computer-science/libpcap-library
>This library is frequently used in network security tools for a variety of purposes including in network scanners and network monitoring software.
>
>https://manpages.ubuntu.com/manpages/focal/en/man5/capability.conf.5.html[https://manpages.ubuntu.com/manpages/focal/en/man5/capability.conf.5.html]
>       If any capability name or numeric value is invalid/unknown to the local system, the
>       capabilities will be rejected, and the inheritable set will not be modified.
>
>https://unix.stackexchange.com/questions/74607/is-it-possible-to-specify-groups-in-etc-security-capability-conf[https://unix.stackexchange.com/questions/74607/is-it-possible-to-specify-groups-in-etc-security-capability-conf]
>my pet project is to replace the setuid on a lot of the binaries and provide access to additional privileged utilities to non-root users.
>
>>
>> now I'm trying to run test1 as user igor which is in the relevant group:
>> $ id igor
>> uid=1000(igor) gid=1000(igor) groups=1000(igor),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)
>>
>> when I run it, I get this error:
>> $ test1
>> Unable to create tap device: Operation not permitted
>>
>> what am I going wrong?
>>
>> Thanks
>>
>> Dagg
>>
>>

Reply to:

References:
- Re: pam and pam-cap don't play along
  - From: George at Clug <Clug@goproject.info>

Prev by Date: sendmail without DNS
Next by Date: Re: pam and pam-cap don't play along
Previous by thread: Re: pam and pam-cap don't play along
Next by thread: Re: pam and pam-cap don't play along
Index(es):
- Date
- Thread