1. Forum
  2. Usenet
  3. LINUX.DEBIAN.USER

  • unable to set cap to virsh

    From daggs@21:1/5 to All on Thu Aug 15 00:20:01 2024
    Greetings,

    I'm trying to allow a specific group the ability to run virsh with cap_net_admin capabilities.
    I've installed libcap2-bin and cap_pam, added user foo to libvirt-qemu, see: uid=1001(foo) gid=1001(foo) groups=1001(foo),103(kvm),108(netdev),109(libvirt),64055(libvirt-qemu)

    next, I've configured libvirt-qemu group with cap_net_admin cap in /etc/security/capability.conf, see:
    #
    # /etc/security/capability.conf
    #
    # this is a sample capability file (to be used in conjunction with
    # the pam_cap.so module)
    #
    # In order to use this module, it must have been linked with libcap
    # and thus you'll know about Linux's capability support.
    # [If you don't know about libcap, read more about it here:
    #
    # https://sites.google.com/site/fullycapable/
    #
    # There is a page devoted to pam_cap.so here:
    #
    # https://sites.google.com/site/fullycapable/pam_cap-so
    #
    # .]
    #
    # Here are some sample lines (remove the preceding '#' if you want to
    # use them.
    #
    # The pam_cap.so module accepts the following arguments:
    #
    # debug - be more verbose logging things (unused by pam_cap for now) # config=<file> - override the default config for the module with file
    # keepcaps - workaround for applications that setuid without this
    # autoauth - if you want pam_cap.so to always succeed for the auth phase # default=<iab> - provide a fallback IAB value if there is no '*' rule

    ## user 'morgan' gets the CAP_SETFCAP inheritable capability (commented out!) #cap_setfcap morgan

    ## user 'luser' inherits the CAP_DAC_OVERRIDE capability (commented out!) #cap_dac_override luser

    cap_net_admin @libvirt-qemu

    ## 'everyone else' gets no inheritable capabilities (restrictive config)
    none *

    ## if there is no '*' entry, and no "default=<iab>" pam_cap.so module
    ## argument to fallback on, all users not explicitly mentioned will
    ## get all currently available inheritable capabilities. This is a
    ## permissive default, and possibly not what you want... On first
    ## reading, you might think this is a security problem waiting to
    ## happen, but it defaults to not being so in this sample file!
    ## Further, by 'get', we mean 'get in their IAB sets'. That is, if you
    ## look at a random process, even one run by root, you will see it has
    ## no IAB capabilities (by default):
    ##
    ## $ /sbin/capsh --decode=$(grep CapInh /proc/1/status|awk '{print $2}')
    ## 0000000000000000=
    ##
    ## The pam_cap module simply alters the value of the inheritable
    ## capability vactors (IAB). Including the 'none *' forces use of this
    ## module with an unspecified user to have their inheritable set
    ## forced to zero.
    ##
    ## Omitting the line will cause the inheritable set to be unmodified
    ## from what the parent process had (which is generally 0 unless the
    ## invoking user was bestowed with some inheritable capabilities by a
    ## previous invocation).

    created /etc/pam.d/virsh with this content:
    auth required pam_cap.so
    and set the caps on /usr/bin/virsh as follows:
    /usr/bin/virsh cap_net_admin=eip

    now I run virsh and break it with ^Z, getting the pid and running
    /sbin/capsh --decode=$(grep CapInh /proc/743/status | awk '{print $2}') and I get this:
    0x0000000000000000=

    e.g. no permissions.... what am I doing wrong?

    Thanks,

    Dagg

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)