[clug] Securing EtherApe with setcap
Bryan Kilgallin (PC)
bryan at netspeed.com.au
Wed Oct 12 03:20:42 UTC 2016
Thanks, Bob:
>> So I can close EtherApe and Terminal, and then come back later and
>> launch EtherApe with sudo. And I no longer need to use setcap?
>
> Yes, although the whole point of running the setcap command is so
> that you don't need to invoke EtherApe with sudo.
Wow, that works! I had merely followed orders.
> If you are happy to keep invoking EtherApe with sudo, then there is
> no need to change the capabilities of the executable (which is what
> you are doing with setcap).
Thank you for explaining. So I have locked the EtherApe icon to the
Launcher.
>This comment wasn't so much about web servers as much as
> pointing out that changing the capabilities of an executable means that
> anyone (including pseudo-users such as www-data) could now invoke that
> command with those capabilities.
In a login list, I saw user "nobody".
> You just need to be aware of the
> significance (security implications) of adding those capabilities to
> that (or any other) executable.
Yesterday I sat next to a woman who asked the difference between Labor
and Liberal! She was incredulous at suggestions she might choose Greens
or independents. Similarly, the user may be ignorant of what you wish
them to be aware!
> Running the setcap command is basically
> saying "I know what I am doing and I have determined that it is safe
> for this executable to have these additional capabilities".
I don't run a Web server. How might I determine such safety?
Regards,
Bryan.
--
www.netspeed.com.au/bryan/
==========================
More information about the linux
mailing list