Forge Home

file_capability

Manage Linux file capabilities with Puppet

521,411 downloads

1,178 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 5.0.0 (latest)
  • 4.0.0
  • 3.0.0
  • 2.0.0
  • 1.1.0
  • 1.0.1
  • 1.0.0
released Jul 26th 2022
This version is compatible with:
  • Puppet Enterprise 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x
  • Puppet >= 6.0.0 < 8.0.0
  • , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'stm-file_capability', '5.0.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add stm-file_capability
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install stm-file_capability --version 5.0.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

stm/file_capability — version 5.0.0 Jul 26th 2022

file_capability

Build Status Puppet Forge License

Table of Contents

  1. Overview
  2. Module Description - What the module does and why it is useful
  3. Setup - The basics of getting started with file_capability
  4. Usage - Configuration options and additional functionality
  5. Reference - An under-the-hood peek at what the module is doing and how
  6. Limitations - OS compatibility, etc.
  7. Development - Guide for contributing to the module

Overview

Manage file capabilities on Linux.

Module Description

Linux capabilities provide a more fine-grained privilege model than the traditional privileged user (root) vs. non-privileged user model. File capabilities associate capabilities with an executable and grant additional capabilities to the process calling the executable (similar to what a setuid binary does in the traditional model).

This module provides the file_capability type to set or reset file capabilities for a file. See the capabilities(7) man page for details about the available capabilities in your operating system.

Setup

What file_capability affects

  • Sets or resets file capabilities for a given file using the setcap and getcap binaries provided by the operating system.

Setup requirements

  • No additional Puppet modules are required for this type.

Usage

Initialize the class to install the required package

include file_capability

On Debian based operating systems this will install the libcap2-bin package to ensure the required binaries are available. For RedHat based systems the package libcap will be installed instead.

Set a single capability

Set the capability used by ping to be able to open a raw socket without being setuid:

file_capability { '/bin/ping':
  ensure     => present,
  capability => 'cap_net_raw=ep',
}

Set multiple capabilities

This set of capabilities is used by Wireshark to be available to non-root users:

file_capability { '/usr/bin/dumpcap':
  capability => [ 'cap_net_admin=eip', 'cap_net_raw=eip', ],
}

Both capabilities use the same flags, so this can be abbreviated:

file_capability { '/usr/bin/dumpcap':
  capability => 'cap_net_admin,cap_net_raw=eip',
}

Clear all capabilities

Remove all file capabilities:

file_capability { '/path/to/executable':
  ensure => absent,
}

Use hiera to create resources

The main class uses the file_capabilities hash parameter to create file_capability resources. So the following hiera item will create the same resource that is shown in the first example:

file_capability::file_capabilities:
  '/bin/ping':
    ensure:     present
    capability: 'cap_net_raw=ep'

Reference

See REFERENCE.md

Limitations

The type uses a regular expression to validate the capability parameter. Unfortunately some illegal specifications are not caught by this check.

Capabilities are only available on more recent operating system releases like RedHat 7 and Debian 8. In addition the file system must support extended attributes to store the capabilities for the file.

The module is currently developed and tested on:

  • Debian 9 (Stretch)

Development

Feel free to send pull requests for new features.