summaryrefslogtreecommitdiffstats
path: root/debian/iproute2.templates
blob: 38ba278623370969f583d8f73b9322519e07d872 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Template: iproute2/setcaps
Type: boolean
Default: false
_Description: Allow ordinary users to run ip vrf exec using capabilities?
 iproute2 can be used to configure and use Virtual Routing and Forwarding (VRF)
 functionality in the  kernel.
 This normally requires root permissions, but sometimes it's useful to allow
 ordinary users to execute commands from inside a virtual routing and forwarding
 domain. E.g. ip vrf exec examplevrf ping 10.0.0.1
 .
 The ip command supports dropping capabilities, making an exception for ip vrf exec.
 The drawback of setting the permissions is that if in the unlikely case of a
 security critical bug being found before the ip command has dropped capabilities
 then it could be used by an attacker to gain root permissions.
 It's up to you to decide about the trade-offs and select the best setting for your
 system.
 This will give cap_dac_override, cap_net_admin and cap_sys_admin to /bin/ip.
 .
 More information about VRF can be found at:
 https://www.kernel.org/doc/Documentation/networking/vrf.txt