linux-capabilities
Linux capabilities (setcap) seems to disable LD_LIBRARY_PATH
As already stated in other answers, this behavior is intended. There is some kind of workaround if you can compile (or at least link) the application yourself. Then you can pass -Wl,-rpath <yourDynamicLibraryPath> to gcc or -rpath <yourDynamicLibraryPath> to ld and you won’t have to specify LD_LIBRARY_PATH at all on execution.
How to find out what Linux capabilities a process requires to work?
Based on recent libcap2 update 1: (Short option): getpcaps Description: From here: getpcaps displays the capabilities on the processes indicated by the pid value(s) given on the command line. Example: $ getpcaps <PID> PID: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+i 2: (A bit longer option): /proc status and capsh Description: proc is a process information pseudo-filesystem or in other … Read more
Is it possible to configure Linux capabilities per user? [closed]
It can sort of be done with libcap – it provides a PAM module pam_cap.so. However it’s not quite that simple 🙂 Each process has three capability sets: Effective (the caps that this process actually has) Permitted (the caps that this process can possibly have – a superset of Effective) Inheritable (the caps that this … Read more
Privileged containers and capabilities
Running in privileged mode indeed gives the container all capabilities. But it is good practice to always give a container the minimum requirements it needs. The Docker run command documentation refers to this flag: Full container capabilities (–privileged) The –privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced … Read more
Is there a way for non-root processes to bind to “privileged” ports on Linux?
Okay, thanks to the people who pointed out the capabilities system and CAP_NET_BIND_SERVICE capability. If you have a recent kernel, it is indeed possible to use this to start a service as non-root but bind low ports. The short answer is that you do: setcap ‘cap_net_bind_service=+ep’ /path/to/program And then anytime program is executed thereafter it … Read more