Feature #3176
Extend the File type to manage filesystem capabilities
| Status: | Accepted | Start date: | 02/12/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | file | |||
| Target version: | - | |||
| Affected Puppet version: | 0.25.4 | Branch: | ||
| Keywords: | ||||
| Votes: | 0 |
Description
It’s starting to sound like Linux’s capabilities are going to be the next Big Thing. Puppet should be able to enforce various capabilities on files.
I imagine something like
file “/usr/sbin/tcpdump”: { capabilities => [ “CAP_NET_RAW” ], }
which would do the equivalent of running setcap cap_net_raw=ep /usr/sbin/tcpdump
I don’t see evidence of Ruby bindings for libcap2 at this time. See capabilities(7) for more information.
History
Updated by James Turnbull about 2 years ago
- Status changed from Unreviewed to Needs Decision
- Assignee set to Luke Kanies
Updated by Luke Kanies about 2 years ago
- Status changed from Needs Decision to Accepted
- Assignee deleted (
Luke Kanies)
I’m comfortable with this, but how do these even work? Shell commands?
Updated by John Warburton 8 months ago
This functionality would be great. For now, I have to use a set of execs.
I already use Solaris RBAC functionality in puppet to allow the puppet user to run web servers etc and listen on ports < 1024
user {'puppet':
keys => 'defaultpriv=basic,net_privaddr',
}
The use case above is to set cap_net_raw on /usr/sbin/tcpdump, ensure pam_cap.so is included in /etc/pam.d and add an entry for user’s to inherit this capability in /etc/security/capability.conf:
cap_net_raw userX
See Chris Friedhoff’s POSIX Capabilities Page for an excellent writeup
Updated by John Warburton 8 months ago
I forgot to mention that we need to be able to set the file capability. In Andrew’s example, he sets the file capability to “ep” (Effective/Permitted) which allows anyone this capability on this file
For access control to users, I need to set file capability “ei” on the file so that it also checks /etc/security/capability.conf
setcap cap_net_raw=ei /usr/sbin/tcpdump