Hello Allen.
Capabilities for a binary without ambient flag won't work for a non-root
user if I get it correctly from manuals.
So it looks like you are on the way to success with '--ambient-caps'.
It looks like 'su' drops all capabilities, though.
You may want to have a look at libpam_cap which may solve this problem
for you.
Other than this the approach should work.
Best regards,
Igor.
On 19.10.2020 12:24, allenhe wrote:
> A non root process needs to signal reload to nginx master (as root) without
> sudo
>
> I've tried using setcap and setpriv with CAP_KILL, both not work.
>
>
> # getcap nginx/sbin/nginx
> nginx/sbin/nginx = cap_kill+ip
> #su user01 -s /bin/sh -c 'nginx/sbin/nginx -s reload'
> nginx: [alert] kill(68, 1) failed (1: Operation not permitted)
>
>
> #setpriv --inh-caps +cap_5 --ambient-caps +cap_5 su user001 -s /bin/sh -c
> 'nginx/sbin/nginx -s reload'
> nginx: [alert] kill(68, 1) failed (1: Operation not permitted)
>
>
> I don't konw if this is specifc to nginx only or I mis used the linux
> capability?
> looking foward for the help
>
>
> BR,
> Allen
>
> Posted at Nginx Forum: https://forum.nginx.org/read.php?2,289755,289755#msg-289755
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
