Skip to content

Latest commit

 

History

History
150 lines (94 loc) · 4.4 KB

REFERENCE.md

File metadata and controls

150 lines (94 loc) · 4.4 KB
Raw

Reference

Table of Contents

Classes

  • file_capability: Manage Linux file capabilities and the required utility package

Resource types

Classes

file_capability

Manage Linux file capabilities and the required utility package

Examples

Declare the class using hiera provided defaults
include file_capability

Parameters

The following parameters are available in the file_capability class:

manage_package

Data type: Boolean

Whether to manage the package providing the getcap and setcap executables with this class. If the package is managed by this class it will be installed before any file_capability resource is created. The default value is true as defined in the module hiera data.

package_ensure

Data type: String

The state the package should be in. Normally this is either one of the strings installed or latest or a specific version number of the package. The module hiera data provides the default value installed.

package_name

Data type: String

The name of the package to install. This parameter is operating system specific and the default is taken from the module hiera data.

file_capabilities

Data type: Hash[String,Data]

A hash used to create file_capability resources. This parameter helps to configure file capabilities in hiera without the need to create an additional helper class.

Default value: {}

Resource types

file_capability

File capabilities allow running a program with elevated privileges without the need to make that executable a setuid binary. Capabilities allow a more fine grained definition of privileges for a program. See the capabilities(7) manpage for an overview of Linux capabilities.

The capability parameter can be a string if only one capability should be defined and an array for managing multiple capabilities.

The implemented provider uses the 'setcap' program to check if the current and the defined capabilities are in sync. In some cases the textual represemtation may look different when in fact the capabilities are correctly set. By using the 'setcap' program this is handled correctly by the operating system.

Examples

Enable ping to open raw socketw without running setuid
file_capability { '/bin/ping':
  ensure     => present,
  capability => 'cap_net_raw=ep',
}
Set multiple flags for two capabilities at the same time
file_capability { '/usr/bin/dumpcap':
  capability => 'cap_net_admin,cap_net_raw=eip',
}

Properties

The following properties are available in the file_capability type.

capability

The capabilities to ensure for the file. This parameter is mandatory for ensure => 'present'. The parameter can be a string if only one capability should be set and an array to define multiple capabilities. Each capability consists of one or more capability names separated by commas, an operator '=', '+' or '-' and capability flags. Valid flags are 'e', 'i' or 'p' for the Effective, Inheritable and Permitted sets. Flags must be given in lowercase.

ensure

Valid values: present, absent

Specifies whether the file capability should exist.

Default value: present

Parameters

The following parameters are available in the file_capability type.

file

The name of the file for which the capabilities should be managed. Default is the resource title. The file will be autorequired if it is managed by Puppet.

provider

The specific backend to use for this file_capability resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.