blob: ca18a297e4a1d342d99144542d6b908038958f82 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
Template: iproute2/setcaps
Type: boolean
Default: false
_Description: Allow ordinary users to run ip vrf exec using capabilities?
iproute2 can be used to configure and use Virtual Routing and Forwarding (VRF)
functionality in the kernel.
This normally requires root permissions, but sometimes it's useful to allow
ordinary users to execute commands from inside a virtual routing and forwarding
domain. E.g. ip vrf exec examplevrf ping 10.0.0.1
.
The ip command supports dropping capabilities, making an exception for ip vrf exec.
The drawback of setting the permissions is that if in the unlikely case of a
security critical bug being found before the ip command has dropped capabilities
then it could be used by an attacker to gain root permissions.
It's up to you to decide about the trade-offs and select the best setting for your
system.
This will give cap_dac_override, cap_net_admin and cap_bpf to /bin/ip.
.
More information about VRF can be found at:
https://www.kernel.org/doc/Documentation/networking/vrf.txt
|
