Enable per-user(group) Linux capabilities(7) like feature in the sudoers file. While tools like setcap exist, they do not offer the same ease of use and integration with sudo's centralized access control model. sudoers configuration allows for granular command control but currently lacks the ability to specify capabilities categories besides NOEXEC.
Proposed Feature
Extend sudoers syntax to allow specifying capabilities for commands. These commands should be carefully designed to remain compatible with other platforms and older Linux kernel versions.
Some initial considerations for possible commands:
(NO)NETCTL: controls the administration of IP firewall, modify routing tables, raw sockets, bind a socket to Internet domain privileged ports.
(NO)RAWIO: Performing raw IO to various devices.
I'm pretty unsure whether it is feasible to provide such features under different platforms and maintain high compatibility.
Rationale:
Enable per-user(group) Linux
capabilities(7)like feature in the sudoers file. While tools likesetcapexist, they do not offer the same ease of use and integration with sudo's centralized access control model. sudoers configuration allows for granular command control but currently lacks the ability to specify capabilities categories besidesNOEXEC.Proposed Feature
Extend sudoers syntax to allow specifying capabilities for commands. These commands should be carefully designed to remain compatible with other platforms and older Linux kernel versions.
Some initial considerations for possible commands:
I'm pretty unsure whether it is feasible to provide such features under different platforms and maintain high compatibility.