Greetings,

I have bookworm installation where I want to allow a group of users to run a specific binary that needs to execute a ioctl which is not possible for normal users.
in comes pam+libcap.
so I've installed libcap, updated /etc/security/capability.conf with this line: cap_net_admin @igor
then I've moved the bin I've created to /usr/local/bin and defined this in /etc/pam.d:
$ cat /etc/pam.d/test1
auth optional pam_cap.so

now I'm trying to run test1 as user igor which is in the relevant group:
$ id igor
uid=1000(igor) gid=1000(igor) groups=1000(igor),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)

when I run it, I get this error:
$ test1
Unable to create tap device: Operation not permitted

what am I going wrong?

Thanks

Dagg

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sunday, 21-07-2024 at 07:57 daggs wrote:

Greetings,

I have bookworm installation where I want to allow a group of users

to run a specific binary that needs to execute a ioctl which is not
possible for normal users.

in comes pam+libcap.
so I've installed libcap, updated /etc/security/capability.conf with

this line: cap_net_admin   @igor

then I've moved the bin I've created to /usr/local/bin and defined

this in /etc/pam.d:

$ cat /etc/pam.d/test1
auth optional pam_cap.so

$ man auth
No manual entry for auth

Daggs,

I do not have the Linux skills to help you, hopefully other do and can
help you.

I would ask if you could give a bit more detail, it may help others to
help you.

Is what you are trying to do, related to what this page is about? https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b

George

https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b

https://man7.org/linux/man-pages/man3/libcap.3.html

https://www.sciencedirect.com/topics/computer-science/libpcap-library
This library is frequently used in network security tools for a
variety of purposes including in network scanners and network
monitoring software.

https://manpages.ubuntu.com/manpages/focal/en/man5/capability.conf.5.html        If any capability name or numeric value is
invalid/unknown to the local system, the
       capabilities will be rejected, and the inheritable set
will not be modified.

https://unix.stackexchange.com/questions/74607/is-it-possible-to-specify-groups-in-etc-security-capability-conf
my pet project is to replace the setuid on a lot of the binaries and
provide access to additional privileged utilities to non-root users.

now I'm trying to run test1 as user igor which is in the relevant

group:

$ id igor
uid=1000(igor) gid=1000(igor)

groups=1000(igor),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)

when I run it, I get this error:
$ test1
Unable to create tap device: Operation not permitted

what am I going wrong?

Thanks

Dagg

<html>
<head>
<style type="text/css">
body,p,td,div,span{
font-size:13px; font-family:Arial, Helvetica, sans-serif;
};
body p{
margin:0px;
}
</style>
</head>
<body>On Sunday, 21-07-2024 at 07:57 daggs wrote:<br>
&gt; Greetings,<br>
&gt; <br>
&gt; I have bookworm installation where I want to allow a group of users to run a specific binary that needs to execute a ioctl which is not possible for normal users.<br>
&gt; in comes pam+libcap.<br>
&gt; so I've installed libcap, updated /etc/security/capability.conf with this line: cap_net_admin&nbsp;&nbsp; @igor<br>
&gt; then I've moved the bin I've created to /usr/local/bin and defined this in /etc/pam.d:<br>
&gt; $ cat /etc/pam.d/test1<br>
&gt; auth optional pam_cap.so<br>

$ man auth<br>
No manual entry for auth<br>

Daggs,<br>

I do not have the Linux skills to help you, hopefully other do and can help you.<br>

I would ask if you could give a bit more detail, it may help others to help you.<br>

Is what you are trying to do, related to what this page is about?<br>
<a href="https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b" target="_blank" class="normal-link">https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b</

<br>

George<br>

<a href="https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b" target="_blank" class="normal-link">https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b</

<br>

<a href="https://man7.org/linux/man-pages/man3/libcap.3.html" target="_blank" class="normal-link">https://man7.org/linux/man-pages/man3/libcap.3.html</a><br>

<a href="https://www.sciencedirect.com/topics/computer-science/libpcap-library" target="_blank" class="normal-link">https://www.sciencedirect.com/topics/computer-science/libpcap-library</a><br>
This library is frequently used in network security tools for a variety of purposes including in network scanners and network monitoring software.<br>

<a href="https://manpages.ubuntu.com/manpages/focal/en/man5/capability.conf.5.html" target="_blank" class="normal-link">https://manpages.ubuntu.com/manpages/focal/en/man5/capability.conf.5.html</a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; If any capability name or numeric value is invalid/unknown to the local system, the<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; capabilities will be rejected, and the inheritable set will not be modified.<br>

<a href="https://unix.stackexchange.com/questions/74607/is-it-possible-to-specify-groups-in-etc-security-capability-conf" target="_blank" class="normal-link">https://unix.stackexchange.com/questions/74607/is-it-possible-to-specify-groups-in-etc-security-
capability-conf</a><br>
my pet project is to replace the setuid on a lot of the binaries and provide access to additional privileged utilities to non-root users.<br>

&gt; <br>
&gt; now I'm trying to run test1 as user igor which is in the relevant group:<br>
&gt; $ id igor<br>
&gt; uid=1000(igor) gid=1000(igor) groups=1000(igor),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)<br>
&gt; <br>
&gt; when I run it, I get this error:<br>
&gt; $ test1<br>
&gt; Unable to create tap device: Operation not permitted<br>
&gt; <br>
&gt; what am I going wrong?<br>
&gt; <br>
&gt; Thanks<br>
&gt; <br>
&gt; Dagg<br>
&gt; <br>
&gt;</body></html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

daggs <[email protected]> writes:

Greetings,

I have bookworm installation where I want to allow a group of users to run a specific binary that needs to execute a ioctl which is not possible for normal users.
in comes pam+libcap.
so I've installed libcap, updated /etc/security/capability.conf with this line: cap_net_admin @igor

Hm. In "my" man capability.conf there is no mention about "@"
sign (I guess you wante to use group?) Maybe you should try "igor" first?
KJ

--
http://wolnelektury.pl/wesprzyj/teraz/
Been Transferred Lately?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Greetings George,

Sent: Sunday, July 21, 2024 at 4:00 AM
From: "George at Clug" <[email protected]> >To: [email protected]
Subject: Re: pam and pam-cap don't play along
On Sunday, 21-07-2024 at 07:57 daggs wrote:

Greetings,

I have bookworm installation where I want to allow a group of users to run a specific binary that needs to execute a ioctl which is not possible for normal users.
in comes pam+libcap.
so I've installed libcap, updated /etc/security/capability.conf with this line: cap_net_admin   @igor
then I've moved the bin I've created to /usr/local/bin and defined this in /etc/pam.d:
$ cat /etc/pam.d/test1
auth optional pam_cap.so

$ man auth
No manual entry for auth

Daggs,

I do not have the Linux skills to help you, hopefully other do and can help you.

I would ask if you could give a bit more detail, it may help others to help you.

Is what you are trying to do, related to what this page is about? >https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b

George

yes, this looks like what I'm trying to do, I'll look into it, thanks for the link.
what I need to do is to allow virsh the ability to create tap interfaces when starting a vm in a session scope rather than a system scope.
I just tried to minimize the test case.

Thanks,

Dagg

https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b[https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b]

https://man7.org/linux/man-pages/man3/libcap.3.html

https://www.sciencedirect.com/topics/computer-science/libpcap-library
This library is frequently used in network security tools for a variety of purposes including in network scanners and network monitoring software.

https://manpages.ubuntu.com/manpages/focal/en/man5/capability.conf.5.html[https://manpages.ubuntu.com/manpages/focal/en/man5/capability.conf.5.html]
       If any capability name or numeric value is invalid/unknown to the local system, the
       capabilities will be rejected, and the inheritable set will not be modified.

https://unix.stackexchange.com/questions/74607/is-it-possible-to-specify-groups-in-etc-security-capability-conf[https://unix.stackexchange.com/questions/74607/is-it-possible-to-specify-groups-in-etc-security-capability-conf]
my pet project is to replace the setuid on a lot of the binaries and provide access to additional privileged utilities to non-root users.

now I'm trying to run test1 as user igor which is in the relevant group:
$ id igor
uid=1000(igor) gid=1000(igor) groups=1000(igor),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)

when I run it, I get this error:
$ test1
Unable to create tap device: Operation not permitted

what am I going wrong?

Thanks

Dagg

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)