If I want to set a capability (capabilities(7)), such as CAP_NET_BIND_SERVICE, on an executable file and that file is a script, do I have to set the capability (setcap(8)) on the interpreter starting that script or is it sufficient to set it on the script file itself?
Note: the question concerns Scientific Linux 6.1 in particular, but I think it can be answered generically.
Setting capability on the script will not be effective. It's the similar situation as not working setuid bit on script. Similar as in the latter case it's the implementation of how execve handles shebang and the security reasoning behind it (for details see: Allow setuid on shell scripts).
I think you have these options
set the capabilities on interpreter itself (actually rather a copy of it)
write a wrapper executable which will have a hardcoded logic to execute your script, and set desired capabilities on this executable
chroot one might missuse such wrapperIn both cases you would have to make sure capabilities set will survive execve by setting inheritable flag. You might also use pam_cap distributed with libcap usually, to actually activate desired capabilities by configuration only for selected users.
And in general you want to make sure nobody is able to modify behavior of your interpreter by changing environment eg. PYTHON_PATH or something similar.
Now, in the year 2022 and if your system uses systemd, you may also create a systemd unit config and run the script from there, also listing the required capabilities with CapabilityBoundingSet= directive.
