In Linux it's possible to fine tune the allowed capabilities of a given program.

Using Linux Capabilities we're able to split the actions normally reserved only for processes owned by root into these smaller capabilities.

This is entirely a function of the operating system itself and managed by the kernel.

In this article we'll show how to allow the snowagent process to be able to see files and enter directories that it would not normally be allowed to by adding this capability to the snowagent.

The capability we'll be adding is "CAP_DAC_READ_SEARCH", the description of which reads:  "Bypass file read permission checks and directory read and execute permission checks"

In my test lab I created two new directories on the root filesystem:

/rootdir - This directory is owned by the root user. Only the root user can change to this directory and read the files therein (permissions are 600)

/userdir - This directory is owned by the snow user. Any user can change to and read the contents of this directory.

I copied /usr/bin/bash into /rootdir and changed its permissions to 700 (only root can see this now)

I copied /usr/bin/bash into /userdir and left the permissions as-is (any user can still read this)

As we can see my snow user is not able to change to or read from the /rootdir directory

Snowagent files are owned by, and will be run by the snow user :

I configured the agent to only scan these two directories for this demonstration:

The first scan was run by the snow user with the snowagent as it comes "out of the box".

As expected we can see that /userdir was scanned but /rootdir was not.

Now we apply the CAP_DAC_READ_SEARCH capability to the snowagent binary and run another scan:

(The +ep behind the capabilities indicate the capability sets effective and permitted)

•  setcap CAP_DAC_READ_SEARCH+ep /opt/snow/snowagent

Now that the agent is allowed to read files and read / execute directories owned by root, the /rootdir has also been scanned:

Even though my snow user is still unable to change to or read from this dir:

You can check what capabilities have been set on the snowagent like this:

•  getcap -r /opt/snow/snowagent

Should you wish to remove this functionality the capability can be "unset" using:

• setcap -r /opt/snow/snowagent

In a final run of the snowagent to check the removal we see that once again the userdir has been scanned, but the rootdir has not:

References / further reading -

https://wiki.archlinux.org/title/capabilities

https://man.archlinux.org/man/capabilities.7