Linux capabilities

Bind ports below 1024 without root on GNU/Linux

For Debian install libcap2-bin

For superuser ports, try setcap cap_net_bind_service=+eip /path/to/program

Also can do setcap cap_ipc_lock,cap_sys_nice=+eip /usr/bin/jackd and enjoy realtime scheduling in jack. You can also do this for alsaplayer to enable the realtime option there.

If you want to use wireshark from a non-root account, do setcap cap_net_raw=+eip /usr/bin/dumpcap. Now you can run wireshark from a normal account and choose to capture from the network.

Security and capabilites

+eip gives the capability to the program regardless of what user runs it.

Use of +ei instead of +eip is recommended to restrict access to only executing processes that have been granted an inheritable capability.

This is generally set by root processes as they create new user or service sessions.

For a user account placing in /etc/security/capability.conf the contents:

Configures user so that when running things with an +ei they convert to +eip and are active.

Capability status can then be checked with /sbin/getpcaps $$

Also, systemd can give has the same feature in service units, this is AmbientCapabilities=

Example, let apache2 run cgi scripts that call programs that make raw sockets such as etherwake;

We can merge into /etc/systemd/system/apache2.service.d/override.conf

  1. [Service]
  2. AmbientCapabilities=CAP_NET_RAW