{"id":20163361,"url":"https://github.com/sjinks/setcap-static","last_synced_at":"2025-04-10T00:36:41.290Z","repository":{"id":38040106,"uuid":"372228074","full_name":"sjinks/setcap-static","owner":"sjinks","description":"A statically linked lightweight version of setcap(8) to use in `scratch` images","archived":false,"fork":false,"pushed_at":"2025-04-03T10:14:01.000Z","size":316,"stargazers_count":6,"open_issues_count":2,"forks_count":2,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-04-03T11:26:13.777Z","etag":null,"topics":["capabilities","linux-capabilities","scratch-image","security","security-tools","setcap"],"latest_commit_sha":null,"homepage":"https://wildwolf.name/multi-stage-docker-builds-and-xattrs/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sjinks.png","metadata":{"funding":{"custom":["https://www.paypal.com/donate/?hosted_button_id=SAG6877JDJ3KU","https://send.monobank.ua/jar/7rosVfiwKM"]},"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-05-30T13:56:28.000Z","updated_at":"2025-03-24T23:26:51.000Z","dependencies_parsed_at":"2023-11-14T17:26:40.352Z","dependency_job_id":"bc77066e-9a21-4bc4-b3b5-d6dec6ff7d42","html_url":"https://github.com/sjinks/setcap-static","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sjinks%2Fsetcap-static","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sjinks%2Fsetcap-static/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sjinks%2Fsetcap-static/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sjinks%2Fsetcap-static/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sjinks","download_url":"https://codeload.github.com/sjinks/setcap-static/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248137998,"owners_count":21053774,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["capabilities","linux-capabilities","scratch-image","security","security-tools","setcap"],"created_at":"2024-11-14T00:29:14.163Z","updated_at":"2025-04-10T00:36:41.266Z","avatar_url":"https://github.com/sjinks.png","language":"C","funding_links":["https://www.paypal.com/donate/?hosted_button_id=SAG6877JDJ3KU","https://send.monobank.ua/jar/7rosVfiwKM"],"categories":[],"sub_categories":[],"readme":"# setcap-static\n\n[![Build](https://github.com/sjinks/setcap-static/actions/workflows/build.yml/badge.svg)](https://github.com/sjinks/setcap-static/actions/workflows/build.yml)\n[![Docker CI/CD](https://github.com/sjinks/setcap-static/actions/workflows/docker.yml/badge.svg)](https://github.com/sjinks/setcap-static/actions/workflows/docker.yml)\n[![Language grade: C/C++](https://img.shields.io/lgtm/grade/cpp/g/sjinks/setcap-static.svg?logo=lgtm\u0026logoWidth=18)](https://lgtm.com/projects/g/sjinks/setcap-static/context:cpp)\n![Docker Image Size](https://img.shields.io/docker/image-size/wildwildangel/setcap-static/latest)\n\n`setcap-static` is a statically linked trimmed down version of [setcap(8)](https://linux.die.net/man/8/setcap). It sets the capabilities of the given filename to the capabilities specified.\n\n## Why\n\nKubeSec security guidelines suggest that the running image should be \"run as a [non-root user to ensure the least privilege](https://kubesec.io/basics/containers-securitycontext-runasnonroot-true/).\" However, if the containerized application needs some `root` privileges (like binding to a port less than 1024) and runs in a `scratch` image, this will not be straightforward.\n\nThe issue is that Docker's `COPY` command does not preserve the extended attributes; therefore, you cannot do something like this:\n\n```Dockerfile\nFROM alpine:3.13 as build\n\n# ...\n\nRUN \\\n    apk add --no-cache libcap \\\n    \u0026\u0026 setcap 'cap_net_bind_service=+ep' my-cool-application \\\n    \u0026\u0026 apk del --no-cache libcap\n\n# ...\n\nFROM scratch\nCOPY --from=build /path/to/my-cool-application /my-cool-application\n```\n\nIn the target image, `my-cool-application` will not have the capabilities set in the `build` image. Therefore, if you need to grant some capabilities to your application, you have to do it in the target image. You cannot just copy `setcap` from Alpine — because it is a dynamically linked executable (it depends on ld-musl, libcap, libc.musl).\n\nHere comes `libcap-static`. It is a lightweight version of `libcap`: it can only set the capabilities on a file, it does not support all other options of `libcap`.\n\nUnlike `libcap`, `libcap-static` has an option to delete itself: this can be handy for `scratch` images if you don't want to leave any other executables than your application visible to the user (or an attacker). If `libcap-static` detects that the first two characters of `argv[0]` are `/!`, it will delete itself after the successful operation.\n\nFor example,\n\n```Dockerfile\nFROM scratch\nCOPY --from=wildwildangel/setcap-static /setcap-static /!setcap-static\nCOPY --from=build /build/build/tiny-ssh-honeypot /tiny-ssh-honeypot\nRUN [\"/!setcap-static\", \"cap_net_bind_service=+ep\", \"/tiny-ssh-honeypot\"]\n```\n\nAfter granting the `CAP_NET_BIND_SERVICE` capability to `tiny-ssh-honeypot`, `libcap-static` will delete itself.\n\n## Build\n\nBuild dependencies:\n  * Alpine: cmake, make, libcap-dev, libcap-static\n  * Ubuntu: cmake, make, libcap-dev\n\n```bash\ncmake -S . -B build -DCMAKE_BUILD_TYPE=MinSizeRel\ncmake --build build --config MinSizeRel\n```\n\n## Usage\n\n```bash\nsetcap-static capabilities filename\n```\n\n  * `capabilities` is the list of capabilities in the form supported by [`cap_from_text(3)`](https://linux.die.net/man/3/cap_from_text) (or by `setcap`)\n  * `filename` is the name of the file to operate on; it must not refer to a symlink.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsjinks%2Fsetcap-static","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsjinks%2Fsetcap-static","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsjinks%2Fsetcap-static/lists"}