Version information
This version is compatible with:
- Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x
- Puppet >= 5.5.10 < 7.0.0
- , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'stm-file_capability', '3.0.0'
Learn more about managing modules with a PuppetfileDocumentation
file_capability
Table of Contents
- Overview
- Module Description - What the module does and why it is useful
- Setup - The basics of getting started with file_capability
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Overview
Manage file capabilities on Linux.
Module Description
Linux capabilities provide a more fine-grained privilege model than the traditional privileged user (root
) vs. non-privileged user model. File capabilities associate capabilities with an executable and grant additional capabilities to the process calling the executable (similar to what a setuid binary does in the traditional model).
This module provides the file_capability
type to set or reset file capabilities for a file. See the capabilities(7)
man page for details about the available capabilities in your operating system.
Setup
What file_capability affects
- Sets or resets file capabilities for a given file using the
setcap
andgetcap
binaries provided by the operating system.
Setup requirements
- No additional Puppet modules are required for this type.
Usage
Initialize the class to install the required package
include file_capability
On Debian based operating systems this will install the libcap2-bin
package to ensure the required binaries are available. For RedHat based systems the package libcap
will be installed instead.
Set a single capability
Set the capability used by ping
to be able to open a raw socket without being setuid:
file_capability { '/bin/ping':
ensure => present,
capability => 'cap_net_raw=ep',
}
Set multiple capabilities
This set of capabilities is used by Wireshark to be available to non-root users:
file_capability { '/usr/bin/dumpcap':
capability => [ 'cap_net_admin=eip', 'cap_net_raw=eip', ],
}
Both capabilities use the same flags, so this can be abbreviated:
file_capability { '/usr/bin/dumpcap':
capability => 'cap_net_admin,cap_net_raw=eip',
}
Clear all capabilities
Remove all file capabilities:
file_capability { '/path/to/executable':
ensure => absent,
}
Use hiera to create resources
The main class uses the file_capabilities
hash parameter to create file_capability
resources. So the following hiera item will create the same resource that is shown in the first example:
file_capability::file_capabilities:
'/bin/ping':
ensure: present
capability: 'cap_net_raw=ep'
Reference
See REFERENCE.md
Limitations
The type uses a regular expression to validate the capability
parameter. Unfortunately some illegal specifications are not caught by this check.
Capabilities are only available on more recent operating system releases like RedHat 7 and Debian 8. In addition the file system must support extended attributes to store the capabilities for the file.
The module is currently developed and tested on:
- Debian 9 (Stretch)
Development
Feel free to send pull requests for new features.
Reference
Table of Contents
Classes
file_capability
: Manage Linux file capabilities and the required utility package
Resource types
file_capability
: Set file capabilities on Linux.
Classes
file_capability
Manage Linux file capabilities and the required utility package
Examples
Declare the class using hiera provided defaults
include file_capability
Parameters
The following parameters are available in the file_capability
class.
manage_package
Data type: Boolean
Whether to manage the package providing the getcap
and setcap
executables with this class. If the package is managed by this class it
will be installed before any file_capability
resource is created. The
default value is true
as defined in the module hiera data.
package_ensure
Data type: String
The state the package should be in. Normally this is either one of the
strings installed
or latest
or a specific version number of the
package. The module hiera data provides the default value installed
.
package_name
Data type: String
The name of the package to install. This parameter is operating system specific and the default is taken from the module hiera data.
file_capabilities
Data type: Hash[String,Data]
A hash used to create file_capability
resources. This parameter helps
to configure file capabilities in hiera without the need to create an
additional helper class.
Default value: {}
Resource types
file_capability
File capabilities allow running a program with elevated privileges without the need to make that executable a setuid binary. Capabilities allow a more fine grained definition of privileges for a program. See the capabilities(7) manpage for an overview of Linux capabilities.
The capability parameter can be a string if only one capability should be defined and an array for managing multiple capabilities.
The implemented provider uses the 'setcap' program to check if the current and the defined capabilities are in sync. In some cases the textual represemtation may look different when in fact the capabilities are correctly set. By using the 'setcap' program this is handled correctly by the operating system.
Examples
Enable ping to open raw socketw without running setuid
file_capability { '/bin/ping':
ensure => present,
capability => 'cap_net_raw=ep',
}
Set multiple flags for two capabilities at the same time
file_capability { '/usr/bin/dumpcap':
capability => 'cap_net_admin,cap_net_raw=eip',
}
Properties
The following properties are available in the file_capability
type.
ensure
Valid values: present, absent
Specifies whether the file capability should exist.
Default value: present
capability
The capabilities to ensure for the file. This parameter is mandatory for ensure => 'present'. The parameter can be a string if only one capability should be set and an array to define multiple capabilities. Each capability consists of one or more capability names separated by commas, an operator '=', '+' or '-' and capability flags. Valid flags are 'e', 'i' or 'p' for the Effective, Inheritable and Permitted sets. Flags must be given in lowercase.
Parameters
The following parameters are available in the file_capability
type.
file
The name of the file for which the capabilities should be managed. Default is the resource title. The file will be autorequired if it is managed by Puppet.
2019-09-27 - Release 3.0.0
Breaking changes
- Remove support for Puppet 4.
2019-03-31 - Release 2.0.0
Features
- Add the 'file_capability` class to install the required packages.
- Provide a class parameter to create
file_capability
resources using hiera only. - Add OracleLinux-7 as supported operating system.
Breaking Changes
- Remove support for Puppet 3
2018-10-14 - Release 1.1.0
Features
- Support Puppet 6.
- Convert the module to PDK.
- Add Ubuntu 18.04 to to supported operatings systems.
- Remove Ubuntu 17.10 from the supported operatings systems.
2018-02-04 - Release 1.0.1
Summary
A metadata update without functional changes.
2016-10-11 - Release 1.0.0
Summary
Initial release.
Copyright (c) 2016, Stefan Möding All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.