How to execve a process, retaining capabilities in spite of missing filesystem-based capabilities?

Question

I want to make system usable without setuid, file \"+p\" capabilities, and in general without things which are disabled when I set PR_SET_NO_NEW_PRIVS.

Answer 1

I think (my understanding), that the best way to use capabilities is:

• For programs that need capabilities and are trusted including trusted not to leak capabilities: e.g. the packet sniffing part of wire-shark, a web server that needs to listen on port 80.
  • new programs, capabilities aware: set permitted.
  • legacy programs, not capabilities aware: set permitted and effective
• For programs that will leak capabilities, and have code that could (sometimes) use a capability: set inherited
  • e.g. for chmod set inherit CAP_FOWNER, if user needs super powers (those normally held by root), then they need to use setpriv (or equivalent, this could be rolled into sudo), else it works in unprivileged mode.
• When a process needs to fork and share some capabilities, then and only then use ambient. Probably same executable; if it was a different one, then this new one would have permitted or inherited set on the file. [Edit: I have just realised that you do not need ambient if you do not exec. If I think of a use-case for ambient, in a well set up system, then I will add it here. Ambient can be used as a transitional mechanism, when inherited is not set on files that could use it.]

Uses of ambient:

• On a system where files do not have the correct capabilities. ( a transitional technique).
• For shell scripts, that can not have capabilities (as they can not have setuid), except on systems that have fixed and then allow setuid on scripts.
• Add more here.