capabilities

March 26, 2020 Contributors

Name

capabilities — selectively retain "root" capabilities

Synopsis

Security { capabilities = "linux capability set" }

Description

It is generally agreed that running with "root privileges" is dangerous for Internet servers. As such, Linux exposes a "capabilities" system that allows a non-privileged user to retain certain root privileges. The capability system makes this possible.

The list of possible capabilities for Linux may vary depending on your Linux distribution, but documentation is found in the capabilities manual page. We use the cap_from_text library function to process the Linux capabilities string, so we will accept any capability supported by the operating system. The capability adjustment is applied via the cap_set_proc library function. If no capabilities string is specified, no privileges are retained; this is the default.

The following is an example of using the Capabilities option in a single-node configuration:

Security {
  user = ecuser
  group = ecuser
  # Allow binding to privileged ports without requiring a process restart
  Capabilities = "cap_net_bind_service+ep"
}

The following is an example of using the Capabilities option on a cluster node:

Security {
  user = ecuser
  group = ecuser
  Capabilities = "cap_net_admin+ep cap_net_bind_service+ep cap_net_raw+ep cap_sys_resource+ep"
}

Note

The capabilities in this example make it possible to use DuraVIP™ bindings in a cluster when running as the user "ecuser".

The DuraVIP™ feature of Momentum requires higher privileges than usual in order to manipulate the network interfaces on the machine; rather than running with all possible privileges, you can configure Capabilities to specify the subset of privileges that are required. During initialization, Momentum will adjust the process privileges as you specify, and this typically results in a process running at a lower privilege level that cannot later increase its privilege level.

Note

Changing the value of options in the security scope at runtime requires restarting the ecelerity process—issuing the ec_console command config reload will not suffice.

Scope

capabilities is valid in the security scope.

See Also

security, user, chroot, and supplemental_groups