18

Right now I'm using cap_net_bind_service MY_USERNAME in /etc/security/capability.conf.
Now I just need to set cap_net_bind_service+i on the interpreter of my favorite scripting language to be able to add CAP_NET_BIND_SERVICE to the effective set via libcap[-ng].

This works fine, but I wonder if there's a way to achieve the same thing without setting any caps to the interpreter binary. While it's not a big problem (other user accounts don't have the cap so they can't use it even with the bit set on the interpreter binary) it's somewhat annoying since I have to re-set the flag every time the interpreter is updated.

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
ThiefMaster
  • 2,337

1 Answers1

6

Usually, the capabilities are inherited to the children. As stated in the manpage :

A child created via fork(2) inherits copies of its parent's capability sets.

The issue with the scripts is they are not directly executables. The kernel goes through a list of checks (kernel code is located at fs/binfmt_*.c). One of them is "binfmt_script.c", that checks the first line for a shebang, then call the real interpreter (the one in the shebang) with your script as argument. As such, the standard/common interpreter is called, and simply reads your script as an argument.

This mean you'll have to set the capability on the interpreter, not on the script. The same thing applies to suid bits, and other special flags.

So either you make a copy of your interpreter, set the capabilities you want on it (also check that nobody can access it through chmod/chown), and call this copied interpreter in your shebang. You also may do the setcap logic in your script.

Adrien M.
  • 3,566
  • Ok, didn't saw the question was asked 2 years ago but never closed... Also, seems like a duplicate of http://unix.stackexchange.com/questions/87348/capabilities-for-a-script-on-linux – Adrien M. Oct 24 '14 at 14:22
  • but only i (inherit), gets past exec. And i does nothing on its own, it only works if the file has a matching i, and I thing the e (effective) bit (unless the script/executable sets that). It is even more complex that setuid, this is not a script effect. – ctrl-alt-delor Apr 16 '15 at 14:17
  • 1
    I thought the shebang was read by the kernel not the shell? (https://stackoverflow.com/questions/3009192/how-does-the-shebang-work/3009280) – Philip Couling Jan 31 '19 at 20:04
  • couling you're right. It was a misinterpretation I understood later. I've fixed it with hints on where the kernel code for scripts execution is located. – Adrien M. Feb 01 '19 at 12:34