Forge Home

file_capability

Manage Linux file capabilities with Puppet

511,982 downloads

2,165 latest version

5.0 quality score

Version information

  • 4.0.0 (latest)
  • 3.0.0
  • 2.0.0
  • 1.1.0
  • 1.0.1
  • 1.0.0
released Apr 5th 2022
This version is compatible with:
  • Puppet Enterprise 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x
  • Puppet >= 5.5.10 < 8.0.0
  • , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'stm-file_capability', '4.0.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add stm-file_capability
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install stm-file_capability --version 4.0.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

stm/file_capability — version 4.0.0 Apr 5th 2022

file_capability

Build Status Puppet Forge License

Table of Contents

  1. Overview
  2. Module Description - What the module does and why it is useful
  3. Setup - The basics of getting started with file_capability
  4. Usage - Configuration options and additional functionality
  5. Reference - An under-the-hood peek at what the module is doing and how
  6. Limitations - OS compatibility, etc.
  7. Development - Guide for contributing to the module

Overview

Manage file capabilities on Linux.

Module Description

Linux capabilities provide a more fine-grained privilege model than the traditional privileged user (root) vs. non-privileged user model. File capabilities associate capabilities with an executable and grant additional capabilities to the process calling the executable (similar to what a setuid binary does in the traditional model).

This module provides the file_capability type to set or reset file capabilities for a file. See the capabilities(7) man page for details about the available capabilities in your operating system.

Setup

What file_capability affects

  • Sets or resets file capabilities for a given file using the setcap and getcap binaries provided by the operating system.

Setup requirements

  • No additional Puppet modules are required for this type.

Usage

Initialize the class to install the required package

include file_capability

On Debian based operating systems this will install the libcap2-bin package to ensure the required binaries are available. For RedHat based systems the package libcap will be installed instead.

Set a single capability

Set the capability used by ping to be able to open a raw socket without being setuid:

file_capability { '/bin/ping':
  ensure     => present,
  capability => 'cap_net_raw=ep',
}

Set multiple capabilities

This set of capabilities is used by Wireshark to be available to non-root users:

file_capability { '/usr/bin/dumpcap':
  capability => [ 'cap_net_admin=eip', 'cap_net_raw=eip', ],
}

Both capabilities use the same flags, so this can be abbreviated:

file_capability { '/usr/bin/dumpcap':
  capability => 'cap_net_admin,cap_net_raw=eip',
}

Clear all capabilities

Remove all file capabilities:

file_capability { '/path/to/executable':
  ensure => absent,
}

Use hiera to create resources

The main class uses the file_capabilities hash parameter to create file_capability resources. So the following hiera item will create the same resource that is shown in the first example:

file_capability::file_capabilities:
  '/bin/ping':
    ensure:     present
    capability: 'cap_net_raw=ep'

Reference

See REFERENCE.md

Limitations

The type uses a regular expression to validate the capability parameter. Unfortunately some illegal specifications are not caught by this check.

Capabilities are only available on more recent operating system releases like RedHat 7 and Debian 8. In addition the file system must support extended attributes to store the capabilities for the file.

The module is currently developed and tested on:

  • Debian 9 (Stretch)

Development

Feel free to send pull requests for new features.