~demindiro/runcap - Run programs temporarily with capabilities as non-root

911b2405 — David Hoppenbrouwers 1 year, 4 months ago

Remove unused header include

1cacaa3e — David Hoppenbrouwers 1 year, 4 months ago

Add LICENSE

592a12f5 — David Hoppenbrouwers 1 year, 4 months ago

Initial, working version

refs

master: browse log

clone

read-only: https://git.sr.ht/~demindiro/runcap
read/write: git@git.sr.ht:~demindiro/runcap

#runcap

This program allows granting specific capabilities to non-root processes.

#Why not capsh?

capsh is (IMO) awful to use and I couldn't find an alternative. For some reason the Debian version misses --addamb too which makes it effectively useless. I also can't figure out how to make it exec() ("chainload") a program.

#How it works

Set UID & GID (with set_uid and set_groups, which are special).
Put a list of capabilities in the effective, inheritable and permitted sets.
Put those capabilities in the ambient set.
Execute the program.

#TODO

It may be worth setting the bounding set properly.