| |||||||||||||
User namespaces progressUser namespaces progressPosted Jan 3, 2013 21:05 UTC (Thu) by andresfreund (subscriber, #69562)In reply to: User namespaces progress by Cyberax Parent article: User namespaces progress
> By copying a binary.
> Beautiful. Not.
I only copied the binary because I do *not* want my normal nc to have the capability to bind to root-only ports.
> In many scenarios you probably will end up using something like capsh or pam-cap.
libpam-cap is probably easier for you:
It should be rather similar for other distributions.
Then start a new shell as your user (*not* via sudo "su - cyberax", use sudo -u cyberax, or su - cyberax from *your* user or such, pam_rootok makes a pretty unfortunate shortcut there) and voila:
(Log in to post comments)
User namespaces progress Posted Jan 3, 2013 21:09 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
That's much better than setting caps for executable files, but still has the problem of non-locality. It's impossible to understand from the daemon's command line that it magically acquires additional caps.
User namespaces progress Posted Jan 3, 2013 21:21 UTC (Thu) by andresfreund (subscriber, #69562) [Link]
Hm, I don't really see that as a problem. But anyway:
sudo /sbin/capsh --caps=cap_net_bind_service+pei == --user=andres -- -c "nc -l 434"
Yes. Ugly. But it works. (capsh is/was a demo tool)
User namespaces progress Posted Jan 3, 2013 21:24 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
Doesn't work with Java, just tried it on my system (it's Debian Stable).
|
|||||||||||||