pam and pam-cap don't play along

Discussion:

(too old to reply)

daggs

2024-07-20 22:00:01 UTC

Greetings,

I have bookworm installation where I want to allow a group of users to run a specific binary that needs to execute a ioctl which is not possible for normal users.
in comes pam+libcap.
so I've installed libcap, updated /etc/security/capability.conf with this line: cap_net_admin @igor
then I've moved the bin I've created to /usr/local/bin and defined this in /etc/pam.d:
$ cat /etc/pam.d/test1
auth optional pam_cap.so

now I'm trying to run test1 as user igor which is in the relevant group:
$ id igor
uid=1000(igor) gid=1000(igor) groups=1000(igor),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)

when I run it, I get this error:
$ test1
Unable to create tap device: Operation not permitted

what am I going wrong?

Thanks

Dagg

George at Clug

2024-07-21 01:10:02 UTC

Permalink

Post by daggs
Greetings,
I have bookworm installation where I want to allow a group of users

to run a specific binary that needs to execute a ioctl which is not
possible for normal users.

Post by daggs
in comes pam+libcap.
so I've installed libcap, updated /etc/security/capability.conf with
then I've moved the bin I've created to /usr/local/bin and defined
$ cat /etc/pam.d/test1
auth optional pam_cap.so

$ man auth
No manual entry for auth

Daggs,

I do not have the Linux skills to help you, hopefully other do and can
help you.

I would ask if you could give a bit more detail, it may help others to
help you.

Is what you are trying to do, related to what this page is about?
https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b

George

https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b

https://man7.org/linux/man-pages/man3/libcap.3.html

https://www.sciencedirect.com/topics/computer-science/libpcap-library
This library is frequently used in network security tools for a
variety of purposes including in network scanners and network
monitoring software.

https://manpages.ubuntu.com/manpages/focal/en/man5/capability.conf.5.html
Â Â Â Â Â Â If any capability name or numeric value is
invalid/unknown to the local system, the
Â Â Â Â Â Â capabilities will be rejected, and the inheritable set
will not be modified.

https://unix.stackexchange.com/questions/74607/is-it-possible-to-specify-groups-in-etc-security-capability-conf
my pet project is to replace the setuid on a lot of the binaries and
provide access to additional privileged utilities to non-root users.

Post by daggs
now I'm trying to run test1 as user igor which is in the relevant
$ id igor
uid=1000(igor) gid=1000(igor)

groups=1000(igor),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)

Post by daggs
$ test1
Unable to create tap device: Operation not permitted
what am I going wrong?
Thanks
Dagg

daggs

2024-07-21 07:10:01 UTC

Permalink

Greetings George,

Sent: Sunday, July 21, 2024 at 4:00 AM
Subject: Re: pam and pam-cap don't play along

Post by daggs
Greetings,
I have bookworm installation where I want to allow a group of users to run a specific binary that needs to execute a ioctl which is not possible for normal users.
in comes pam+libcap.
$ cat /etc/pam.d/test1
auth optional pam_cap.so

yes, this looks like what I'm trying to do, I'll look into it, thanks for the link.
what I need to do is to allow virsh the ability to create tap interfaces when starting a vm in a session scope rather than a system scope.
I just tried to minimize the test case.

Thanks,

Dagg

https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b[https://adil.medium.com/run-your-applications-with-necessary-privileges-linux-capabilities-428e2c402f0b]
https://man7.org/linux/man-pages/man3/libcap.3.html
https://www.sciencedirect.com/topics/computer-science/libpcap-library
This library is frequently used in network security tools for a variety of purposes including in network scanners and network monitoring software.
https://manpages.ubuntu.com/manpages/focal/en/man5/capability.conf.5.html[https://manpages.ubuntu.com/manpages/focal/en/man5/capability.conf.5.html]
If any capability name or numeric value is invalid/unknown to the local system, the
capabilities will be rejected, and the inheritable set will not be modified.
https://unix.stackexchange.com/questions/74607/is-it-possible-to-specify-groups-in-etc-security-capability-conf[https://unix.stackexchange.com/questions/74607/is-it-possible-to-specify-groups-in-etc-security-capability-conf]
my pet project is to replace the setuid on a lot of the binaries and provide access to additional privileged utilities to non-root users.

Post by daggs
$ id igor
uid=1000(igor) gid=1000(igor) groups=1000(igor),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)
$ test1
Unable to create tap device: Operation not permitted
what am I going wrong?
Thanks
Dagg

Kamil Jońca

2024-07-21 05:20:01 UTC

Permalink

Hm. In "my" man capability.conf there is no mention about "@"
sign (I guess you wante to use group?) Maybe you should try "igor" first?
KJ

--
http://wolnelektury.pl/wesprzyj/teraz/
Been Transferred Lately?

daggs

2024-07-21 07:10:02 UTC

Permalink

Greetings Kamil,

Sent: Sunday, July 21, 2024 at 7:55 AM
Subject: Re: pam and pam-cap don't play along

sign (I guess you wante to use group?) Maybe you should try "igor" first?
KJ

I think such support was added before 2.66 but I'll try it nonetheless

Dagg

--
http://wolnelektury.pl/wesprzyj/teraz/
Been Transferred Lately?