file_capability

pdk

Manage Linux file capabilities with Puppet

Project URL RSS Feed Report issues

Module Stats

603,196 downloads

14,631 latest version

5.0 quality score

Version information

released Feb 4th 2018

This version is compatible with:

Puppet Enterprise 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
Puppet >= 3.7.0 < 6.0.0
Debian
,
Ubuntu
,
RedHat
,
CentOS

Start using this module

Installation method

Add this module to your Puppetfile:

mod 'stm-file_capability', '1.0.1'

Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add stm-file_capability

Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install stm-file_capability --version 1.0.1

Tags: linux, capability

Documentation

stm/file_capability — version 1.0.1 Feb 4th 2018

file_capability

Overview
Module Description - What the module does and why it is useful
Setup - The basics of getting started with file_capability
- What file_capability affects
- Setup requirements
Usage - Configuration options and additional functionality
Reference - An under-the-hood peek at what the module is doing and how
Limitations - OS compatibility, etc.
Development - Guide for contributing to the module

Overview

Manage file capabilities on Linux.

Module Description

Linux capabilities provide a more fine-grained privilege model than the traditional privileged user (root) vs. non-privileged user model. File capabilities associate capabilities with an executable and grant additional capabilities to the process calling the executable (similar to what a setuid binary does in the traditional model).

This module provides the file_capability type to set or reset file capabilities for a file.

Setup

What file_capability affects

Sets or resets file capabilities for a given file using the setcap and getcap binaries provided by the operating system.

Setup requirements

The setcap and getcap executables must be available. On Debian these are provided by the libcap2-bin package. The package is not managed by this module.
No additional Puppet modules are required for this type.

Usage

Set a single capability

Set the capability used by ping to be able to open a raw socket without being setuid:

file_capability { '/bin/ping':
  ensure     => present,
  capability => 'cap_net_raw=ep',
}

Set multiple capabilities

This set of capabilities is used by Wireshark to be available to non-root users:

file_capability { '/usr/bin/dumpcap':
  capability => [ 'cap_net_admin=eip', 'cap_net_raw=eip', ],
}

Both capabilities use the same flags, so this can be abbreviated:

file_capability { '/usr/bin/dumpcap':
  capability => 'cap_net_admin,cap_net_raw=eip',
}

Clear all capabilities

Remove all file capabilities:

file_capability { '/path/to/executable':
  ensure => absent,
}

Reference

Type: `file_capability`

Parameters for the file_capability type:

`ensure`

Indicate if the capability for the file should be created or removed. Valid options: present, absent. Default value: present

`file`

The name of the file for which the capabilities should be managed. This must be an absolute pathname. The resource title is used if this parameter is left unspecified.

file_capability { 'foo':
  file   => '/path/to/executable',
  ensure => absent,
}

If Puppet manages the file specified by the file parameter, then this type will autorequire the file resource.

`capability`

A String or an array of strings with capability specifications. A capability specification has the following format:

A single capability name or a list of capability names separated by commas
An operator character: =, + or -
Operator flags using one or multiple lowercase letters: e, i and p

Valid capability specifications are for example:

'cap_net_raw=ep'
'cap_net_admin,cap_net_raw=eip'
[ 'CAP_DAC_READ_SEARCH=ep', 'CAP_SYS_ADMIN=ep', ]

See the capabilities(7) manpage for details and a description of all available capabilities and the meaning of the operator flags.

An error is signaled if the capability specification has an illegal format.

Limitations

The type uses a regular expression to validate the capability parameter. Unfortunately some illegal specifications are not caught by this check.

Capabilities are only available on recent operating system releases like RedHat 7 and Debian 8. In addition the file system must support extended attributes to store the capabilities for the file.

The module is currently developed and tested on:

Debian 8 (Jessie)

Development

Feel free to send pull requests for new features.

Types in this module release

file_capability

Set file capabilities on Linux. A file capability allows running a program with elevated privileges without the need to make that executable a setuid binary. Capabilities allow a more fine grained definition of privileges for a program. See the capabilities(7) manpage for an overview of Linux capabilities.

The capability parameter can be a string if only one capability should be
defined and an array for managing multiple capabilities.

The implemented provider uses the 'setcap' program to check if the current
and the defined capabilities are in sync. In some cases the textual
represemtation may look different when in fact the capabilities are
correctly set. By using the 'setcap' program this is handled correctly
by the operating system.

Example:

    file_capability { '/bin/ping':
      ensure     => present,
      capability => 'cap_net_raw=ep',
    }

In this example, Puppet will ensure the ping executable has the correct
capability to be able to open raw sockets without running setuid.

    file_capability { '/usr/bin/dumpcap':
      capability => 'cap_net_admin,cap_net_raw=eip',
    }

This example shows how to set the Effective, Inheritable and Permitted
flags for two capabilities at the same time. This ensures the executable
used by the Wireshark network sniffer can be used by an ordinary user.

    file_capability { 'scanner-access-permissions':
      ensure     => present,
      file       => '/usr/local/sbin/scanner',
      capability => [ 'CAP_DAC_READ_SEARCH=ep', 'CAP_SYS_ADMIN=ep', ],
    }

This example sets the capabilities to bypass file read permission checks
and perform additional system administration operations for an
hypothetical scanner executable.

Parameters
ensure
file	The name of the file for which the capabilities should be managed. Default is the resource title. The file will be autorequired if it is managed by Puppet.
provider

Properties
capability	The capabilities to ensure for the file. This parameter is mandatory for ensure => 'present'. The parameter can be a string if only one capability should be set and an array to define multiple capabilities. Each capability consists of one or more capability names separated by commas, an operator '=', '+' or '-' and capability flags. Valid flags are 'e', 'i' or 'p' for the Effective, Inheritable and Permitted sets. Flags must be given in lowercase.

Properties

capability

The capabilities to ensure for the file. This parameter is mandatory for ensure => 'present'. The parameter can be a string if only one capability should be set and an array to define multiple capabilities. Each capability consists of one or more capability names separated by commas, an operator '=', '+' or '-' and capability flags. Valid flags are 'e', 'i' or 'p' for the Effective, Inheritable and Permitted sets. Flags must be given in lowercase.

Providers
linux

Copyright (c) 2016 Stefan Möding
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
   notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
   notice, this list of conditions and the following disclaimer in the
   documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.

file_capability

Version information

This version is compatible with:

Start using this module

Documentation

file_capability

Table of Contents

Overview

Module Description

Setup

What file_capability affects

Setup requirements

Usage

Set a single capability

Set multiple capabilities

Clear all capabilities

Reference

Type: `file_capability`

`ensure`

`file`

`capability`

Limitations

Development

Types in this module release

file_capability

2018-02-04 - Release 1.0.1

Summary

2016-10-11 - Release 1.0.0

Summary

PDK

file_capability

Version information

This version is compatible with:

Start using this module

Documentation

file_capability

Table of Contents

Overview

Module Description

Setup

What file_capability affects

Setup requirements

Usage

Set a single capability

Set multiple capabilities

Clear all capabilities

Reference

Type: file_capability

ensure

file

capability

Limitations

Development

Types in this module release

file_capability

2018-02-04 - Release 1.0.1

Summary

2016-10-11 - Release 1.0.0

Summary

PDK

Type: `file_capability`

`ensure`

`file`

`capability`