Resource Type: file_capability

Defined in:
lib/puppet/type/file_capability.rb
Providers:
linux

Summary

Set file capabilities on Linux.

Overview

File capabilities allow running a program with elevated privileges without the need to make that executable a setuid binary. Capabilities allow a more fine grained definition of privileges for a program. See the capabilities(7) manpage for an overview of Linux capabilities.

The capability parameter can be a string if only one capability should be defined and an array for managing multiple capabilities.

The implemented provider uses the ‘setcap’ program to check if the current and the defined capabilities are in sync. In some cases the textual represemtation may look different when in fact the capabilities are correctly set. By using the ‘setcap’ program this is handled correctly by the operating system.

Examples:

Enable ping to open raw socketw without running setuid


file_capability { '/bin/ping':
  ensure     => present,
  capability => 'cap_net_raw=ep',
}

Set multiple flags for two capabilities at the same time


file_capability { '/usr/bin/dumpcap':
  capability => 'cap_net_admin,cap_net_raw=eip',
}

Properties

  • capability

    The capabilities to ensure for the file. This parameter is mandatory for ensure => ‘present’. The parameter can be a string if only one capability should be set and an array to define multiple capabilities. Each capability consists of one or more capability names separated by commas, an operator ‘=’, ‘+’ or ‘-’ and capability flags. Valid flags are ‘e’, ‘i’ or ‘p’ for the Effective, Inheritable and Permitted sets. Flags must be given in lowercase.

  • ensure (defaults to: present)

    Specifies whether the file capability should exist.

    Supported values:
    • present
    • absent

Parameters

  • file

    The name of the file for which the capabilities should be managed. Default is the resource title. The file will be autorequired if it is managed by Puppet.

  • provider

    The specific backend to use for this ‘file_capability` resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.