linuxpermissionslinux-capabilitiesprivileged-functions

Grant capabilities to a running process


An already running process needs a privileged instruction, like using the SO_RCVBUFFORCE socket option. This process is running as a normal user process.

How to give capability/permission to this process? File-based capability settings are still a dream?

I have tried the /usr/sbin/setpcaps utility from libcap package and the cap_set_proc() api, but the CAP_SETPCAP capability is blocked on the system (a legacy system based on Fedora 4 with 2.6.20 kernel), so it can not grant/remove capabilities for a different-then-self process.

Thought about setting temporary root uid to that process, but is there a way to change the effective UID of an external, already running process ? The setuid()/seteuid()/... functions can just modify the current process (who is calling the function).


Solution

  • You can't. The security model behind capabilities (rather, the "permitted set of capabilities") is that they can be dropped by a process, never added.

    If you can't set things up in your architecture such that the capabilities are inherited properly from the parent(s) of the process, you might try doing the setsocktopt() call in a separate process using file descriptor passing. That is, set up a "sockopt daemon" running at the needed privilege level, connect to it with your new socket, pass the file descriptor with sendmsg(), and let it do the necessary calls. This is an ugly API, and the solution is needlessly complicated. But it might be preferable to rearchitecting the launch and initialization structure of your app.