[question] make use of linux capabilities to run as non-root

[dkwo]

I was wondering whether the dhcpcd daemon supports being run as a non-root user, by simply giving some capabilities to its process, either using setpriv, something like

exec setpriv --reuid _wpas --regid _wpas --clear-groups \
  --ambient-caps -all,+net_admin,+net_raw \
  --inh-caps -all,+net_admin,+net_raw \
  --bounding-set -all,+net_admin,+net_raw \
  --no-new-privs -- wpa_supplicant ${OPTS}

(here I use the example for wpa_supplicant, its user being _wpas) or any similar functionality provided by the service manager.

I understand there's the privsep build option, but I was wondering whether this alternative is supported and makes sense from upstream viewpoint. If so, are net_admin and net_raw necessary and sufficient capabilities?

[rsmarples]

Sort answer no and no plans for it either.

At best we can document it because dhcpcd is mainly installed by package managers which need to then run setpriv.
Each time you create a new file, it's set caps are discarded.

[dkwo]

@rsmarples I think you are misunderstanding how setpriv (part of util-linux) works: it does not touch the binary file, rather it starts a process with those capabilities. The init/service manager can also do it, e.g. I believe systemd and dinit have this feature. This is to be compared with setcap, which instead does what you say and is not a preffered choice.

Btw, with just +net_admin,+net_raw,+net_bind_service I get no errors nor warnings, if I'm not using privsep. Everything seems to work fine.

[rsmarples]

OK, but privsep will give you better protection than capabilities for the front facing processes which are the most vulnerable.
So the question is now can we make it work with privsep?

[dkwo]

I agree. I can try to experiment more.