SetCap with NFS

Question

I am working on a project that requires using raw_sockets and raw sockets to work needs CAP_NET_RAW we used setcap and it worked fine, now the executable is on NFS, and nw setcap can’t be used is their a work around? Thanks in advance

I tried chown root and chmod u+s to increase prevelage of my executable but it didn’t work

Answer 1

Your app uses raw sockets, and raw sockets requires that the process have CAP_NET_RAW capability, correct?

https://manpages.ubuntu.com/manpages/kinetic/en/man7/packet.7.html,

In order to create a packet socket, a process must have the CAP_NET_RAW capability in the user namespace that governs its network namespace.

You've been relying on extended attributes to associate CAP_NET_RAW capability with your app's executable file, but your NFS server doesn't support this, correct?

Here's a potential workaround:

https://stackoverflow.com/a/44103544/421195

You can use fuse_xattrs (a fuse filesystem layer) to emulate extended attributes (xattrs) on NFS shares. Basically you have to do:

1. mount the NFS share. e.g.: /mnt/shared_data

2. mount the fuse xattr layer:

   $ fuse_xattrs /mnt/shared_data /mnt/shared_data_with_xattrs
   

Now all the files on /mnt/shared_data can be accessed on /mnt/shared_data_with_xattrs with xattrs support. The extended attributes will be stored on sidecar files. The extended attributes are not going to be stored on the server filesystem as extended attributes, they are going to be stored in sidecar files.

Sadly this is only a work-around.

disclaimer: I'm the author of fuse_xattrs.

fbarriga