I have an application manager
that needs to call setfacl
to (dis-)allow execution of a certain file by certain users.
This application runs as a non-root user admin
(and for a plethora of reasons, I'd like to keep it that way). Therefore the setfacl
calls from within manager
fail with setfacl: <filename>: Operation not permitted
.
My understanding is, that I could give the admin
user the CAP_FOWNER
capability to allow it using setfacl
on files owned by root
.
I tried doing so, by adding cap_fowner admin
to /etc/security/capability.conf
.
After re-logging in admin
, the cap is set:
$ capsh --print
Current: = cap_fowner+i
...
setfacl
still fails though:
$ setfacl -b <filename>
setfacl: <filename>: Operation not permitted
The file currently has the following acl:
$ getfacl <filename>
# file: <filename>
# owner: root
# group: root
user::rwx
user:cluster-user2:r--
group::r-x
mask::r-x
other::r-x
I also tried sudo setcap cap_fowner=ie manager
(following this) but that does not seem to enable manager
to use setfacl
internally either.
I'm happy about any clues how to enable using setfacl
as a non-root user on root-owned files.
Eventually, I want to run the manager
as a systemd service using the user admin
. Is there a systemd way to add the required capability?
/usr/bin
, installed by a deb package. Which is why I'm hesitant to just change the file's owner.sudo setcap CAP_FOWNER=+eip /path/to/binary
.