Fame Burst

Home / general

How can I get capabilities to work with su?

Rachel Hill |

I added a line to /etc/security/capability.conf so I can have a user who can read everything for backups, but not do everything root can.

cap_dac_read_search backup

If I add a password and shell for the user and then login, then I get the inherited capability:

backup$ capsh --print
Current: = cap_dac_read_search+i

But it doesn't show up when I su to the account:

user$ sudo su backup -s /bin/sh -c "capsh --print"
Current: =

Naturally it works for sudo or su to root:

user$ sudo capsh --print
Current: = cap_chown,cap_dac_override, ...

Is there a way to get the capabilities transferred when using su?

1

1 Answer

Install libpam-cap

In /etc/pam.d/su, make sure that pam_cap.so appears before pam_rootok.so

auth optional pam_cap.so
auth sufficient pam_rootok.so

You've already got capability.conf set up, so then you'll be good to go!

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like