SlideShare a Scribd company logo

Linux Capabilities - eng - v2.1.5, compact

Download as ODP, PDF
Alessandro Selli
Alessandro Selli

Linux Capabilities: A better root than SUID root Presented at LinuxCon2014, Düsseldorf, Oct. 15th 2014

Software
1 of 58
Linux Capabilites Table of Contents Title Pages Title Pages Table of Contents 1 Extracting and... 4 Copyright Notice 1 System Configuration 2 LC: what they are... 3 Capability Assignment 10 The ping case 4 Distro Status 7 What LC for ping? 3 Issues? 2 Managing LCs 4 Aknowledgments 1 More examples 10
CCooppyyrriigghhtt NNoottiiccee Presentation by: Alessandro Selli <alessandroselli@linux.com> Copyright © 2014 Alessandro Selli. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later one published by the Free Software Foundation, with the Invariant Section being the present slide (number 1), no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is available on-line or can be obtained from the author. Version 2.1.5, 2014/10/28
Linux Capabilites: what they are and do 1-3 ● Started as an implementation of POSIX:  1003.1e (API), "Protection, Audit and Control Interfaces"  1003.2c (Shell and Utilities), "Protection and Control Interfaces" ● Sometimes called Linux POSIX Capabilities ● 1003.1e and 1003.2c were last revised in 1997 ● In 1999 they were set as withdrawn drafts ● Linux has thus gone it's own way
Linux Capabilites: what they are and do 2-3 Advantages: ● They allow delegation of super-user rights to unprivileged processes, like suid bit ● They are recorded on the filesystem, like suid bit ● They do not work on a “everything or nothing” basis, unlike suid In short: ● they allow a process to do some selected things with root rights, while not anything else
Linux Capabilites: what they are and do 3-3 Disadvantages: ● Commands need code to be made LC-conscious ● Some FS do not support LC (NFS v.3, though squashfs, tmpfs and f2fs now do): [root@debian ~]# getcap /mnt/nfs/nfsserver/dumpdates Failed to get capabilities of file `/mnt/nfs/nfsserver/dumpdates' (Operation not supported) [root@debian ~]# ● LCs are not dropped like SUID  The newer libcap-ng libs makes this easy
TThhee ppiinngg ccaassee 11--44 ● A classic example: ping ● It needs superuser rights to send echo-request ICMP packets ● You surely do not want to let anyone be able to produce arbitrary ICMP packets! ● This is the traditional approach:
TThhee ppiinngg ccaassee 22--44 Starting situation: [alessandro@ubuntu ~]$ lsb_release ­drc Description: Ubuntu 14.04.1 LTS Release: 14.04 Codename: trusty [alessandro@ubuntu ~]$ ll /bin/ping ­rwsr­xr­x 1 root root 44178 mag 7 23:51 /bin/ping [alessandro@ubuntu ~]$ ping ­c 3 route­add. net PING route­add. net (195.182.210.166) 56(84) bytes of data. 64 bytes from route­add. net (195.182.210.166): icmp_seq=1 ttl=55 time=46.8 ms 64 bytes from route­add. net (195.182.210.166): icmp_seq=2 ttl=55 time=46.6 ms 64 bytes from route­add. net (195.182.210.166): icmp_seq=3 ttl=55 time=45.5 ms ­­­route­add. net ping statistics ­­­3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 45.549/46.329/46.829/0.558 ms [alessandro@ubuntu ~]$
TThhee ppiinngg ccaassee 33--44 ● According to standards, the process rights are those of the user who launched the exec Not of the owner of the executable file! ● Unless the suid bit is set, that is. ­rwsr­xr­x 1 root root 44178 mag 7 23:51 /bin/ping
TThhee ppiinngg ccaassee 44--44 Let's “sabotage” ping: [root@ubuntu ~]# chmod u­s /bin/ping [root@ubuntu ~]# ll /bin/ping ­rwxr­xr­x 1 root root 44178 mag 7 23:51 /bin/ping [root@ubuntu ~]# The aftermath: [alessandro@ubuntu ~]$ ping ­c 3 route­add. net ping: icmp open socket: Operation not permitted [alessandro@ubuntu ~]$ If not otherwise stated, Ubuntu and Fedora it's the same.
WWhhaatt LLCC ffoorr ppiinngg?? 11--33 ● We want both the power and the safety ● We want to be able to open ICMP sockets without assuming full root privileges! ● How do Linux Capabilities help us out? ● RTFM, of course! ➢ man capabilities(7) ➢ Most up-to-date list & info: linux/include/uapi/linux/capability.h
WWhhaatt LLCC ffoorr ppiinngg?? 22--33 We get many capabilities to choose from: AUDIT_CONTROL AUDIT_WRITE BLOCK_SUSPEND CHOWN DAC_OVERRIDE DAC_READ_SEARCHC AP_LEASE FOWNER FSETID IPC_LOCK IPC_OWNER KILL LEASE LINUX_IMMUTABLE MAC_ADMIN MAC_OVERRIDE MKNOD NET_ADMIN NET_BIND_SERVICE This is what we need now NET_RAW SETGID SETFCAP SETPCAP SETUID SYS_ADMIN SYS_BOOT SYS_CHROOT SYS_MODULE SYS_NICE SYS_PACCT SYS_PTRACE SYS_RAWIO SYS_RESOURCE SYS_TIME SYS_TTY_CONFIG SYSLOG WAKE_ALARM
WWhhaatt LLCC ffoorr ppiinngg?? 22--33 We get many capabilities to choose from: AUDIT_CONTROL AUDIT_WRITE BLOCK_SUSPEND CHOWN DAC_OVERRIDE DAC_READ_SEARCHC AP_LEASE Leading CAP_ omitted everywhere FOWNER FSETID IPC_LOCK IPC_OWNER KILL LEASE LINUX_IMMUTABLE MAC_ADMIN MAC_OVERRIDE MKNOD NET_ADMIN NET_BIND_SERVICE This is what we need now NET_RAW SETGID SETFCAP SETPCAP SETUID SYS_ADMIN SYS_BOOT SYS_CHROOT SYS_MODULE SYS_NICE SYS_PACCT SYS_PTRACE SYS_RAWIO SYS_RESOURCE SYS_TIME SYS_TTY_CONFIG SYSLOG WAKE_ALARM
WWhhaatt LLCC ffoorr ppiinngg?? 33--33 Man page says: CAP_NET_RAW * use RAW and PACKET sockets; * bind to any address for transparent proxying. Sounds like what we need. How shall we apply it?
MMaannaaggiinngg LLCCss 11--44 Capabilities can be handled whith commands: ➢ getcap, display file capabilities ➢ setcap, set file capabilities ➢ getpcaps, display process capabilities ➢ capsh, capability shell wrapper Each capability can have these sets associated: ➢ p, process is permitted the capability ➢ e, capability is marked as effective ➢ i, capability is inherited after an execve()
MMaannaaggiinngg LLCCss 11--44 Capabilities can be handled whith commands: ➢ getcap, display file capabilities ➢ setcap, set file capabilities ➢ getpcaps, display process capabilities ➢ capsh, capability shell wrapper Each capability can have these sets associated: ➢ p, process is permitted the capability ➢ e, capability is marked as effective ➢ i, capability is inherited after an execve() This has become a bit
MMaannaaggiinngg LLCCss 22--44 Let's start using them: [root@ubuntu ~]# chmod u­s /bin/ping [root@ubuntu ~]# ll /bin/ping ­rwxr­xr­x 1 root root 44168 mag 7 23:51 /bin/ping* [root@ubuntu ~]# getcap /bin/ping [root@ubuntu ~]# setcap CAP_NET_RAW=ep /bin/ping Case sensitive! Case-insensitive
MMaannaaggiinngg LLCCss 22--44 Let's start using them: [root@ubuntu ~]# chmod u­s /bin/ping [root@ubuntu ~]# ll /bin/ping ­rwxr­xr­x 1 root root 44168 mag 7 23:51 /bin/ping* [root@ubuntu ~]# getcap /bin/ping [root@ubuntu ~]# setcap CAP_NET_RAW=ep /bin/ping [root@ubuntu ~]# getcap /bin/ping /bin/ping = cap_net_raw+ep [root@ubuntu ~]# Can use this notation with setcap, too
MMaannaaggiinngg LLCCss 33--44 Does it work? [alessandro@ubuntu ~]$ ping ­c 3 route­add. net PING route­add. net (195.182.210.166) 56(84) bytes of data. 64 bytes from route­add. net (195.182.210.166): icmp_seq=1 ttl=55 time=30.7 ms 64 bytes from route­add. net (195.182.210.166): icmp_seq=2 ttl=55 time=30.9 ms 64 bytes from route­add. net (195.182.210.166): icmp_seq=3 ttl=55 time=31.3 ms ­­­route­add. net ping statistics ­­­3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 30.709/30.988/31.350/0.304 ms [alessandro@ubuntu ~]$
MMaannaaggiinngg LLCCss 44--44 Just a note: ping capabilities in Fedora 20: [root@fedora ~]# getcap /bin/ping /bin/ping = cap_net_admin,cap_net_raw+ep [root@fedora ~]# CAP_NET_ADMIN is for packet tagging: [alessandro@fedora ~]$ ping ­c1 ­m 123 route­add. net PING route­add. net (195.182.210.166) 56(84) bytes of data. Warning: Failed to set mark 123 64 bytes from route­add. net (195.182.210.166): icmp_seq=1 ttl=53 time=45.8 ms ­­­route­add. net ping statistics ­­­1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 45.802/45.802/45.802/0.000 ms [alessandro@fedora ~]$
MMoorree eexxaammpplleess 11--1111 Everyone knows of extended POSIX attributes, right? RRiigghhtt?? If you don't, you ought to. ● LC are useful, even necessary to make use of EPA.
MMoorree eexxaammpplleess 22--1111 EPAs let you, among the rest, set files that: ­a: can only have data be appended to ­i: are immutable (cannot overwrite or erase) ­S: do synchronous writes on the media ­D: synchronous writes on directories ... (there can be up to 19) Figuring out what filesystem supports which EPA and with not is a matter of guesswork...
MMoorree eexxaammpplleess 33--1111 There is one catch, though: ● chattr does not work for ordinary users: [alessandro@fedora ~]$ chattr +i .bashrc chattr: Operation not permitted while setting flags on .bashrc [alessandro@fedora ~]$
MMoorree eexxaammpplleess 44--1111 Classical UNIX solution is to make it SUID root: [root@fedora ~]# ll /usr/bin/chattr ­rwxr­xr­x 1 root root 10528 giu 24 13:10 /usr/bin/chattr [root@fedora ~]# chmod u+s /usr/bin/chattr [root@fedora ~]# ll /usr/bin/chattr ­rwsr­xr­x 1 root root 10528 giu 24 13:10 /usr/bin/chattr [root@fedora ~]# It would work: [alessandro@fedora ~]$ chattr +i .bashrc [alessandro@fedora ~]$ lsattr .bashrc ­­­­i­­­­­­­­e­­. bashrc [alessandro@fedora ~]$
MMoorree eexxaammpplleess 55--1111 But... [alessandro@fedora ~]$ lsattr ~games/.profile ­­­­­­­­­­­­­e­­/ opt/games/.profile [alessandro@fedora ~]$ chattr +i ~games/.profile [alessandro@fedora ~]$ lsattr ~games/.profile ­­­­i­­­­­­­­e­­/ usr/games/.profile [alessandro@fedora ~]$ Which is normal for superuser rights. We definitely do not want this to happen.
MMoorree eexxaammpplleess 66--1111 This is the right way to do it: [root@fedora ~]# chmod u­s /bin/chattr [root@fedora ~]# ll /bin/chattr ­rwxr­xr­x 1 root root 10736 Aug 3 11:36 /bin/chattr [root@fedora ~]# setcap CAP_LINUX_IMMUTABLE=ep /bin/chattr [root@fedora ~]# getcap /bin/chattr /bin/chattr = cap_linux_immutable+ep [root@fedora ~]#
MMoorree eexxaammpplleess 77--1111 Which causes the right things to happen: [alessandro@fedora ~]$ lsattr .bashrc ­­­­­­­­­­­­­e­­. bashrc [alessandro@fedora ~]$ chattr +i .bashrc [alessandro@fedora ~]$ lsattr .bashrc ­­­­i­­­­­­­­e­­. bashrc [alessandro@fedora ~]$ chattr +i ~games/.profile chattr: Permission denied while setting flags on /usr/games/.profile [alessandro@fedora ~]$
"I'm sorry Dave, I'm afraid I can't do that".
MMoorree eexxaammpplleess 88--1111 ●DAC = Discretionary Access Control ● It's the classic Unix “who gets to do what” decision mechanism ● In the filesystem it shows as the rwx file rights ● Linux Capabilities can mess them up as well! :-)
MMoorree eexxaammpplleess 99--1111 Let's beep the beeper! (In an xterm) [alessandro@fedora ~]$ beep ­f 2000 ­l 100 Could not open /dev/tty0 or /dev/vc/0 for writing open: No such file or directory [alessandro@fedora ~]$ Man page says: By default beep is not installed with the suid bit set, because that would just be zany. On the other hand, if you do make it suid root, all your problems with beep bailing on ioctl calls will magically vanish, which is pleasant, and the only reason not to is that any suid program is a potential security hole. Conveniently, beep is very short, so auditing it is pretty straightforward.
MMoorree eexxaammpplleess 1100--1111 Let's try using LC instead. The error we got was: Could not open /dev/tty0 or /dev/vc/0 for writing That is, it's a DAC issue. [root@fedora ~]# setcap CAP_DAC_OVERRIDE=pe /bin/beep [root@fedora ~]# [alessandro@fedora ~]$ beep ­f 2000 ­l 100 ioctl: Operation not permitted ioctl: Operation not permitted [alessandro@fedora ~]$ CAP_SYS_TTY_CONFIG Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals. From beep(1):
MMoorree eexxaammpplleess 1100--1111 Both capabilities together: [root@fedora ~]# setcap > CAP_DAC_OVERRIDE,CAP_SYS_TTY_CONFIG=pe /bin/beep [root@fedora ~]# [alessandro@fedora ~]$ beep ­f 2000 ­l 100 [alessandro@fedora ~]$
"All right Dave, I think I figured out a way to do that"
Extracting and Decoding LC info 1-4 What LCs are active now? [root@ubuntu ~]# cp /bin/bash /tmp/ [root@ubuntu ~]# setcap CAP_KILL,CAP_DAC_OVERRIDE+epi /tmp/bash [root@ubuntu ~]# getcap /tmp/bash /tmp/bash = cap_dac_override,cap_kill+eip [root@ubuntu ~]# Inheritance is set [alessandro@ubuntu ~]$ /tmp/bash ­l [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `15400': = cap_dac_override,cap_kill+ep [alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000022 CapEff: 0000000000000022 CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$ Inheritance is missing!
Extracting and Decoding LC info 2-4 Decoding Hex LC bitmap: [alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000022 CapEff: 0000000000000022 CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$ capsh ­­decode= 0000000000000000 0x0000000000000000= [alessandro@ubuntu ~]$ capsh ­­decode= 0000000000000022 0x0000000000000022=cap_dac_override,cap_kill [alessandro@ubuntu ~]$ Still represented as a set
Extracting and Decoding LC info 3-4 0000001fffffffff = Capability Bounding Set 1 = allowable cap (kept if present) 0 = masked cap (or no LC associated to bit) Bits are mapped one-to-one to a LC 0000001fffffffff is a 64-bit mask ● It's been a 64 bit mask since libcap vers. 2.03 ● Before it was 32-bit
Extracting and Decoding LC info 4-4 Number of bit-mapped capabilities is consistent with zero-based value stored in /proc/sys/kernel/cap_last_cap Kernel 3.14.19:1fffffffff → 1+9*4=37 /proc/sys/kernel/cap_last_cap = 36 Kernel 3.16.3: 3fffffffff → 2+9*4=38 /proc/sys/kernel/cap_last_cap = 37
SSyysstteemm CCoonnffiigguurraattiioonn 11--22 capability.conf1: users who inherit LCs [root@ubuntu ~]# cat /etc/security/capability.conf cap_kill alessandro none * [root@ubuntu ~]# Changes are effective after a new login: Ubuntu 14.04.1 LTS ubuntu tty1 If missing all users get all available capabilities! CAP_KILL is now inherited ubuntu login: alessandro Password: [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `8586': = cap_kill+i [alessandro@ubuntu ~]$
SSyysstteemm CCoonnffiigguurraattiioonn 22--22 Child process of new shell now does inherit LCs: [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `16332': = cap_kill+i [alessandro@ubuntu ~]$ getcap /tmp/bash /tmp/bash = cap_dac_override,cap_kill+eip [alessandro@ubuntu ~]$ /tmp/bash ­l [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `16849': = cap_kill+eip cap_dac_override+ep [alessandro@ubuntu ~]$ Cap is in config file Cap is not in config file 1) Ubuntu package libpam-cap is required. Fedora has package libcap, but this setup does not work (PAM failure: System error)
Capability aassssiiggnnmmeenntt 11--1100 2.2.11 2.6.25 optional 2.6.33 built-in System-wide bounding-set Per-thread bounding-set ● Before 2.6.25 Bounding Set was system-wide ● Beginning 2.6.25 it's per-thread ● Can be dropped by process with CAP_SETPCAP via prctl(2) PR_CAPBSET_DROP operation ● Inherited at fork(2), preserved on execve(2) ● Optional until 2.6.33, then built-in
Capability aassssiiggnnmmeenntt 22--1100 N New P Previous F Capab. set to the File e Effective capability p Permitted capability i Inherited capability CBS Capability Bounding Set1 New capabilities used to be computed this way: Np (Pi∪Fi)∩(Fp∪CBS) Ne Fe∪Np Ni Pi 1) Mask of permitted capabilities retained after an execve(2). No effect on inherited caps. From kernel 2.6.25, limits inherited capabilities that can be added to self even if they are permitted.
Capability aassssiiggnnmmeenntt 33--1100 N New P Previous F Capab. set to the File e Effective capability p Permitted capability i Inherited capability CBS Capability Bounding Set1 Now they are computed this way: Np (Pi∪Fi)∩(Fp∪CBS) Ne Fe ? Np : 02 Ni Pi 2) Not and AND any more, because Effective set is a bit, no longer a set (one bit per capability) as it used to be.
Capability aassssiiggnnmmeenntt 44--1100 What does the Capability Bounding Set do? 1) On an execve(2), it ANDs out thread's permitted caps from file's permitted caps. 2) Limits thread's inheritable caps that can be added with a capset(2) (kernel >= 2.6.25). a)Filtered capability can still be permitted b)Inheritable cap can still be set if it's in file's inheritable set.
Capability aassssiiggnnmmeenntt 55--1100 Possibile security risk: undesired permitted caps. Consider the situation: 1) Parent process has CAP_X Inh, not in CBS 2) CAP_X cannot be in Perm set a) But it is retained in Inh set by children 3) Process can still exec child with CAP_X in both Perm and Inh sets! Dropping CBS can instill a false sense of security! Alone it's not sufficient!
Capability aassssiiggnnmmeenntt 66--1100 Like SUID, shell scripts' LC are not honored: [alessandro@ubuntu ~]$ cat ~/bin/test_cap.sh #!/bin/dash getpcaps $$ grep ^Cap /proc/$$/status [alessandro@ubuntu ~]$ getcap ~/bin/test_cap.sh /home/alessandro/bin/test_cap.sh = cap_linux_immutable+ep [alessandro@ubuntu ~]$ test_cap.sh Capabilities for `9093': = Not honored CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 Not honored CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$
Capability aassssiiggnnmmeenntt 77--1100 Only binary executables' LC are honored: [alessandro@ubuntu ~]$ cat ~/bin/test2_cap.sh #!/tmp/dash getpcaps $$ grep ^Cap /proc/$$/status [alessandro@ubuntu ~]$ getcap ~/bin/test2_cap.sh /tmp/dash /tmp/dash = cap_linux_immutable+ep [alessandro@ubuntu ~]$ test2_cap.sh Capabilities for `9218': = cap_linux_immutable+ep CapInh: 0000000000000000 CapPrm: 0000000000000200 CapEff: 0000000000000200 Now honored Now honored CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$
Capability aassssiiggnnmmeenntt 88--1100 Command capsh can reduce shell CBS: [alessandro@ubuntu ~]$ getcap $(which capsh) /sbin/capsh = cap_setpcap+p [alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$ capsh ­­drop= cap_net_raw ­­[ alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000001fffffdfff [alessandro@ubuntu ~]$
Capability aassssiiggnnmmeenntt 99--1100 CBS reduction with capsh. Initial state: [alessandro@ubuntu ~]$ getcap $(which capsh ping) /sbin/capsh = cap_setpcap+p /bin/ping = cap_net_raw+p [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `7842': = [alessandro@ubuntu ~]$ ping ­qc1 route­add. net PING route­add. net (195.182.210.166) 56(84) bytes of data. ­­­route­add. net ping statistics ­­­1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 27.718/27.718/27.718/0.000 ms [alessandro@ubuntu ~]$
CCaappaabbiilliittyy aassssiiggnnmmeenntt 1100--1100 Running new shell with lowered CBS via capsh: [alessandro@ubuntu ~]$ capsh ­­drop= cap_net_raw ­­[ alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000001fffffdfff [alessandro@ubuntu ~]$ capsh ­­decode= 2000 0x0000000000002000=cap_net_raw [alessandro@ubuntu ~]$ ping ­qc1 route­add. net ping: icmp open socket: Operation not permitted [alessandro@ubuntu ~]$
DDiissttrroo ssttaattuuss 11--77 The plan is to replace as many SUID/SGID executables with capabilities as possible: ● Fedora: Last update: 2011-04-05, completion: 100% (many, but not all, SUID taken off) ● Ubuntu: WIP (Last update: 2011-09-27) Not everything SUID could be ported to Linux Capabilities (yet)
DDiissttrroo ssttaattuuss 22--77 Fedora 20 (Heisenbug): a couple dozen suid files (in a non-standard LXDE install) # find / ­xdev ­type f ­perm /111 ­perm /4000 ­user root | wc ­l 23 # /usr/sbin/mount.nfs /usr/bin/mount /usr/bin/chsh /usr/bin/write /usr/bin/fusermount /usr/bin/umount /usr/bin/chage /usr/bin/passwd /usr/bin/newgrp /usr/bin/locate /usr/bin/su /usr/bin/sudo /usr/bin/gpasswd /usr/bin/cgexec /usr/bin/chfn /usr/bin/Xorg /usr/bin/ssh­agent /usr/bin/crontab /usr/bin/at /usr/bin/ksu /usr/sbin/postqueue /usr/sbin/postdrop /usr/sbin/ssmtp /usr/bin/pkexec
DDiissttrroo ssttaattuuss 33--77 Ubuntu 14.04.1 (Trusty Tahr): a few more (also in a non-standard, XFCE install) # find / /usr ­xdev ­type f ­perm /111 ­perm /4000 ­user root | wc ­l 29 # They used to be 34 in 13.10 (Saucy Salamander)
DDiissttrroo ssttaattuuss 44--77 Let's see one case where LC do not work: [alessandro@fedora ~]$ ll /usr/bin/at ­rwsr­xr­x 1 root root 53208 5 dic 12.34 /usr/bin/at [alessandro@fedora ~]$ getcap /usr/bin/at [alessandro@fedora ~]$ Let's strip off the SUID bit and any cap: [root@fedora ~]# chmod u­s /usr/bin/at [root@fedora ~]# setcap ­r /usr/bin/at [root@fedora ~]# [alessandro@fedora ~]$ at ­f ~/bin/at.sh now+5min cannot set egid: Operation not permitted [alessandro@fedora ~]$
DDiissttrroo ssttaattuuss 55--77 Let's try to make it happy: [root@fedora ~]# setcap CAP_SETGID+ep /usr/bin/at [root@fedora ~]# No joy: [alessandro@fedora ~]$ at ­f ~/bin/at.sh now+5min cannot set euid: Operation not permitted [alessandro@fedora ~]$ [root@fedora ~]# setcap CAP_SETUID,CAP_SETGID+ep /usr/bin/at [root@fedora ~]# [alessandro@fedora ~]$ at ­f ~/bin/at.sh now+5min PAM failure: System error [alessandro@fedora ~]$ :­(
DDiissttrroo ssttaattuuss 66--77 Log says: [alessandro@fedora ~]$ tail ­1 /var/log/secure Feb 23 10:08:43 fedora at: PAM audit_log_acct_message() failed: Operation not permitted [alessandro@fedora ~]$ Game over, for now.
DDiissttrroo ssttaattuuss 77--77 Ubuntu has taken a different approach: ● it uses the same at/atd implementation (by Thomas Koenig, ig25@rz.uni-karlsruhe.de) ● it runs the daemon as user daemon ● the client command is SUID and SGUI daemon:daemon, allowing it to:  write into /var/spool/cron/atjobs/.SEQ  send atd signals Old school, simple, effective, safe.
IIssssuueess?? 11--22 «Why are not more people aware of and using capabilities? I believe that poor documentation is the primary reason. For example, Fedora 10 is missing the man pages for getpcaps, capsh and pam_cap, and the Fedora Security Guide does not even mention capabilities» (Finnbarr P. Murphy, May 28th, 2009 ) Every bit as true today!
IIssssuueess?? 22--22 ●Online distro docs stopped years ago ● Fedora Security Guide in same condition in 19.1, and is absent in 20 documentation ➢ At least man pages are there ➢ SELinux only future? ● Behaviour of LC changing over time ➢ Same commands, capabilities and sets yield different result from 2.6.24 with no errors ● libcap-ng should make programming easier
AAkknnoowwlleeddggmmeennttss 11--11 ● The Linux man-pages Project people ( https://www.kernel.org/doc/man-pages/) ● Finnbarr P. Murphy (blog post and references, useful though outdated) ● And kernel developers, of course!  Andrew G. Morgan <morgan@kernel.org>  Alexander Kjeldaas <astor@guardian.no> with help from Aleph1, Roland Buresund and Andrew Main.

Recommended

Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Jarod Wang
 
David container security-with_falco
David container security-with_falcoDavid container security-with_falco
David container security-with_falco
Lorenzo David
 
Multiply your Testing Effectiveness with Parameterized Testing, v1
Multiply your Testing Effectiveness with Parameterized Testing, v1Multiply your Testing Effectiveness with Parameterized Testing, v1
Multiply your Testing Effectiveness with Parameterized Testing, v1
Brian Okken
 
Deploying Prometheus stacks with Juju
Deploying Prometheus stacks with JujuDeploying Prometheus stacks with Juju
Deploying Prometheus stacks with Juju
J.J. Ciarlante
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
Patching: answers to questions you probably were afraid to ask about oracle s...
Patching: answers to questions you probably were afraid to ask about oracle s...Patching: answers to questions you probably were afraid to ask about oracle s...
Patching: answers to questions you probably were afraid to ask about oracle s...
DATA SECURITY SOLUTIONS
 
DiUS Computing Lca Rails Final
DiUS Computing Lca Rails FinalDiUS Computing Lca Rails Final
DiUS Computing Lca Rails Final
Robert Postill
 
Active Web Development
Active Web DevelopmentActive Web Development
Active Web Development
Divya Manian
 

Recommended

Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Jarod Wang
 
David container security-with_falco
David container security-with_falcoDavid container security-with_falco
David container security-with_falco
Lorenzo David
 
Multiply your Testing Effectiveness with Parameterized Testing, v1
Multiply your Testing Effectiveness with Parameterized Testing, v1Multiply your Testing Effectiveness with Parameterized Testing, v1
Multiply your Testing Effectiveness with Parameterized Testing, v1
Brian Okken
 
Deploying Prometheus stacks with Juju
Deploying Prometheus stacks with JujuDeploying Prometheus stacks with Juju
Deploying Prometheus stacks with Juju
J.J. Ciarlante
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
Patching: answers to questions you probably were afraid to ask about oracle s...
Patching: answers to questions you probably were afraid to ask about oracle s...Patching: answers to questions you probably were afraid to ask about oracle s...
Patching: answers to questions you probably were afraid to ask about oracle s...
DATA SECURITY SOLUTIONS
 
DiUS Computing Lca Rails Final
DiUS Computing Lca Rails FinalDiUS Computing Lca Rails Final
DiUS Computing Lca Rails Final
Robert Postill
 
Active Web Development
Active Web DevelopmentActive Web Development
Active Web Development
Divya Manian
 
YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems Performance
Brendan Gregg
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
Brendan Gregg
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challenges
IO Visor Project
 
Tuning parallelcodeonsolaris005
Tuning parallelcodeonsolaris005Tuning parallelcodeonsolaris005
Tuning parallelcodeonsolaris005dflexer
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerunidsecconf
 
Performance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedPerformance Wins with BPF: Getting Started
Performance Wins with BPF: Getting Started
Brendan Gregg
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Valeriy Kravchuk
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
Andrea Righi
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
SUSE Labs Taipei
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF Observability
Brendan Gregg
 
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFOSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
Brendan Gregg
 
LPC2019 BPF Tracing Tools
LPC2019 BPF Tracing ToolsLPC2019 BPF Tracing Tools
LPC2019 BPF Tracing Tools
Brendan Gregg
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPF
Alex Maestretti
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernel
lcplcp1
 
Kernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixKernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at Netflix
Brendan Gregg
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
Taeung Song
 
eBPF Workshop
eBPF WorkshopeBPF Workshop
eBPF Workshop
Michael Kehoe
 
Kernel development
Kernel developmentKernel development
Kernel development
Nuno Martins
 
Spying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profitSpying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profit
Andrea Righi
 
Linux Performance Tools
Linux Performance ToolsLinux Performance Tools
Linux Performance Tools
Brendan Gregg
 
Linux or unix interview questions
Linux or unix interview questionsLinux or unix interview questions
Linux or unix interview questionsTeja Bheemanapally
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
Gábor Nyers
 

More Related Content

What's hot

YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems Performance
Brendan Gregg
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
Brendan Gregg
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challenges
IO Visor Project
 
Tuning parallelcodeonsolaris005
Tuning parallelcodeonsolaris005Tuning parallelcodeonsolaris005
Tuning parallelcodeonsolaris005dflexer
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerunidsecconf
 
Performance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedPerformance Wins with BPF: Getting Started
Performance Wins with BPF: Getting Started
Brendan Gregg
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Valeriy Kravchuk
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
Andrea Righi
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
SUSE Labs Taipei
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF Observability
Brendan Gregg
 
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFOSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
Brendan Gregg
 
LPC2019 BPF Tracing Tools
LPC2019 BPF Tracing ToolsLPC2019 BPF Tracing Tools
LPC2019 BPF Tracing Tools
Brendan Gregg
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPF
Alex Maestretti
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernel
lcplcp1
 
Kernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixKernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at Netflix
Brendan Gregg
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
Taeung Song
 
eBPF Workshop
eBPF WorkshopeBPF Workshop
eBPF Workshop
Michael Kehoe
 
Kernel development
Kernel developmentKernel development
Kernel development
Nuno Martins
 
Spying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profitSpying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profit
Andrea Righi
 
Linux Performance Tools
Linux Performance ToolsLinux Performance Tools
Linux Performance Tools
Brendan Gregg
 

What's hot (20)

YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems Performance
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challenges
 
Tuning parallelcodeonsolaris005
Tuning parallelcodeonsolaris005Tuning parallelcodeonsolaris005
Tuning parallelcodeonsolaris005
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
 
Performance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedPerformance Wins with BPF: Getting Started
Performance Wins with BPF: Getting Started
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF Observability
 
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFOSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
 
LPC2019 BPF Tracing Tools
LPC2019 BPF Tracing ToolsLPC2019 BPF Tracing Tools
LPC2019 BPF Tracing Tools
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPF
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernel
 
Kernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixKernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at Netflix
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
 
eBPF Workshop
eBPF WorkshopeBPF Workshop
eBPF Workshop
 
Kernel development
Kernel developmentKernel development
Kernel development
 
Spying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profitSpying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profit
 
Linux Performance Tools
Linux Performance ToolsLinux Performance Tools
Linux Performance Tools
 

Similar to Linux Capabilities - eng - v2.1.5, compact

Linux or unix interview questions
Linux or unix interview questionsLinux or unix interview questions
Linux or unix interview questionsTeja Bheemanapally
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
Gábor Nyers
 
Linux basic commands
Linux basic commandsLinux basic commands
Linux basic commands
Sagar Kumar
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing Tools
Sysdig
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing Tools
Brendan Gregg
 
101 apend. scripting, crond, atd
101 apend. scripting, crond, atd101 apend. scripting, crond, atd
101 apend. scripting, crond, atd
Acácio Oliveira
 
Docker 原理與實作
Docker 原理與實作Docker 原理與實作
Docker 原理與實作
kao kuo-tung
 
Linux Common Command
Linux Common CommandLinux Common Command
Linux Common Command
Jeff Yang
 
Basic linux commands for bioinformatics
Basic linux commands for bioinformaticsBasic linux commands for bioinformatics
Basic linux commands for bioinformatics
Bonnie Ng
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
tomasbart
 
3.1.c apend scripting, crond, atd
3.1.c apend scripting, crond, atd3.1.c apend scripting, crond, atd
3.1.c apend scripting, crond, atd
Acácio Oliveira
 
Introduction to Docker (as presented at December 2013 Global Hackathon)
Introduction to Docker (as presented at December 2013 Global Hackathon)Introduction to Docker (as presented at December 2013 Global Hackathon)
Introduction to Docker (as presented at December 2013 Global Hackathon)
Jérôme Petazzoni
 
Jana treek 4
Jana treek 4Jana treek 4
Jana treek 4
Jana Treek
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
PROIDEA
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]
Vincent Batts
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
Ishan A B Ambanwela
 
Linux Server Deep Dives (DrupalCon Amsterdam)
Linux Server Deep Dives (DrupalCon Amsterdam)Linux Server Deep Dives (DrupalCon Amsterdam)
Linux Server Deep Dives (DrupalCon Amsterdam)
Amin Astaneh
 
Linux class 9 15 oct 2021-5
Linux class 9 15 oct 2021-5Linux class 9 15 oct 2021-5
Linux class 9 15 oct 2021-5
Khawar Nehal khawar.nehal@atrc.net.pk
 

Similar to Linux Capabilities - eng - v2.1.5, compact (20)

Linux or unix interview questions
Linux or unix interview questionsLinux or unix interview questions
Linux or unix interview questions
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
 
Linux basic commands
Linux basic commandsLinux basic commands
Linux basic commands
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing Tools
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing Tools
 
101 apend. scripting, crond, atd
101 apend. scripting, crond, atd101 apend. scripting, crond, atd
101 apend. scripting, crond, atd
 
Docker 原理與實作
Docker 原理與實作Docker 原理與實作
Docker 原理與實作
 
Linux Common Command
Linux Common CommandLinux Common Command
Linux Common Command
 
Basic linux commands for bioinformatics
Basic linux commands for bioinformaticsBasic linux commands for bioinformatics
Basic linux commands for bioinformatics
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
3.1.c apend scripting, crond, atd
3.1.c apend scripting, crond, atd3.1.c apend scripting, crond, atd
3.1.c apend scripting, crond, atd
 
unixtoolbox
unixtoolboxunixtoolbox
unixtoolbox
 
Introduction to Docker (as presented at December 2013 Global Hackathon)
Introduction to Docker (as presented at December 2013 Global Hackathon)Introduction to Docker (as presented at December 2013 Global Hackathon)
Introduction to Docker (as presented at December 2013 Global Hackathon)
 
Jana treek 4
Jana treek 4Jana treek 4
Jana treek 4
 
KCC_Final.pdf
KCC_Final.pdfKCC_Final.pdf
KCC_Final.pdf
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
 
Linux Server Deep Dives (DrupalCon Amsterdam)
Linux Server Deep Dives (DrupalCon Amsterdam)Linux Server Deep Dives (DrupalCon Amsterdam)
Linux Server Deep Dives (DrupalCon Amsterdam)
 
Linux class 9 15 oct 2021-5
Linux class 9 15 oct 2021-5Linux class 9 15 oct 2021-5
Linux class 9 15 oct 2021-5
 

Recently uploaded

Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
Jelle | Nordend
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
Software Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdfSoftware Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdf
MayankTawar1
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
XfilesPro
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
KrzysztofKkol1
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
Globus
 

Recently uploaded (20)

Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
Software Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdfSoftware Testing Exam imp Ques Notes.pdf
Software Testing Exam imp Ques Notes.pdf
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
 

Linux Capabilities - eng - v2.1.5, compact

  • 1. Linux Capabilites Table of Contents Title Pages Title Pages Table of Contents 1 Extracting and... 4 Copyright Notice 1 System Configuration 2 LC: what they are... 3 Capability Assignment 10 The ping case 4 Distro Status 7 What LC for ping? 3 Issues? 2 Managing LCs 4 Aknowledgments 1 More examples 10
  • 2. CCooppyyrriigghhtt NNoottiiccee Presentation by: Alessandro Selli <alessandroselli@linux.com> Copyright © 2014 Alessandro Selli. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later one published by the Free Software Foundation, with the Invariant Section being the present slide (number 1), no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is available on-line or can be obtained from the author. Version 2.1.5, 2014/10/28
  • 3. Linux Capabilites: what they are and do 1-3 ● Started as an implementation of POSIX:  1003.1e (API), "Protection, Audit and Control Interfaces"  1003.2c (Shell and Utilities), "Protection and Control Interfaces" ● Sometimes called Linux POSIX Capabilities ● 1003.1e and 1003.2c were last revised in 1997 ● In 1999 they were set as withdrawn drafts ● Linux has thus gone it's own way
  • 4. Linux Capabilites: what they are and do 2-3 Advantages: ● They allow delegation of super-user rights to unprivileged processes, like suid bit ● They are recorded on the filesystem, like suid bit ● They do not work on a “everything or nothing” basis, unlike suid In short: ● they allow a process to do some selected things with root rights, while not anything else
  • 5. Linux Capabilites: what they are and do 3-3 Disadvantages: ● Commands need code to be made LC-conscious ● Some FS do not support LC (NFS v.3, though squashfs, tmpfs and f2fs now do): [root@debian ~]# getcap /mnt/nfs/nfsserver/dumpdates Failed to get capabilities of file `/mnt/nfs/nfsserver/dumpdates' (Operation not supported) [root@debian ~]# ● LCs are not dropped like SUID  The newer libcap-ng libs makes this easy
  • 6. TThhee ppiinngg ccaassee 11--44 ● A classic example: ping ● It needs superuser rights to send echo-request ICMP packets ● You surely do not want to let anyone be able to produce arbitrary ICMP packets! ● This is the traditional approach:
  • 7. TThhee ppiinngg ccaassee 22--44 Starting situation: [alessandro@ubuntu ~]$ lsb_release ­drc Description: Ubuntu 14.04.1 LTS Release: 14.04 Codename: trusty [alessandro@ubuntu ~]$ ll /bin/ping ­rwsr­xr­x 1 root root 44178 mag 7 23:51 /bin/ping [alessandro@ubuntu ~]$ ping ­c 3 route­add. net PING route­add. net (195.182.210.166) 56(84) bytes of data. 64 bytes from route­add. net (195.182.210.166): icmp_seq=1 ttl=55 time=46.8 ms 64 bytes from route­add. net (195.182.210.166): icmp_seq=2 ttl=55 time=46.6 ms 64 bytes from route­add. net (195.182.210.166): icmp_seq=3 ttl=55 time=45.5 ms ­­­route­add. net ping statistics ­­­3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 45.549/46.329/46.829/0.558 ms [alessandro@ubuntu ~]$
  • 8. TThhee ppiinngg ccaassee 33--44 ● According to standards, the process rights are those of the user who launched the exec Not of the owner of the executable file! ● Unless the suid bit is set, that is. ­rwsr­xr­x 1 root root 44178 mag 7 23:51 /bin/ping
  • 9. TThhee ppiinngg ccaassee 44--44 Let's “sabotage” ping: [root@ubuntu ~]# chmod u­s /bin/ping [root@ubuntu ~]# ll /bin/ping ­rwxr­xr­x 1 root root 44178 mag 7 23:51 /bin/ping [root@ubuntu ~]# The aftermath: [alessandro@ubuntu ~]$ ping ­c 3 route­add. net ping: icmp open socket: Operation not permitted [alessandro@ubuntu ~]$ If not otherwise stated, Ubuntu and Fedora it's the same.
  • 10. WWhhaatt LLCC ffoorr ppiinngg?? 11--33 ● We want both the power and the safety ● We want to be able to open ICMP sockets without assuming full root privileges! ● How do Linux Capabilities help us out? ● RTFM, of course! ➢ man capabilities(7) ➢ Most up-to-date list & info: linux/include/uapi/linux/capability.h
  • 11. WWhhaatt LLCC ffoorr ppiinngg?? 22--33 We get many capabilities to choose from: AUDIT_CONTROL AUDIT_WRITE BLOCK_SUSPEND CHOWN DAC_OVERRIDE DAC_READ_SEARCHC AP_LEASE FOWNER FSETID IPC_LOCK IPC_OWNER KILL LEASE LINUX_IMMUTABLE MAC_ADMIN MAC_OVERRIDE MKNOD NET_ADMIN NET_BIND_SERVICE This is what we need now NET_RAW SETGID SETFCAP SETPCAP SETUID SYS_ADMIN SYS_BOOT SYS_CHROOT SYS_MODULE SYS_NICE SYS_PACCT SYS_PTRACE SYS_RAWIO SYS_RESOURCE SYS_TIME SYS_TTY_CONFIG SYSLOG WAKE_ALARM
  • 12. WWhhaatt LLCC ffoorr ppiinngg?? 22--33 We get many capabilities to choose from: AUDIT_CONTROL AUDIT_WRITE BLOCK_SUSPEND CHOWN DAC_OVERRIDE DAC_READ_SEARCHC AP_LEASE Leading CAP_ omitted everywhere FOWNER FSETID IPC_LOCK IPC_OWNER KILL LEASE LINUX_IMMUTABLE MAC_ADMIN MAC_OVERRIDE MKNOD NET_ADMIN NET_BIND_SERVICE This is what we need now NET_RAW SETGID SETFCAP SETPCAP SETUID SYS_ADMIN SYS_BOOT SYS_CHROOT SYS_MODULE SYS_NICE SYS_PACCT SYS_PTRACE SYS_RAWIO SYS_RESOURCE SYS_TIME SYS_TTY_CONFIG SYSLOG WAKE_ALARM
  • 13. WWhhaatt LLCC ffoorr ppiinngg?? 33--33 Man page says: CAP_NET_RAW * use RAW and PACKET sockets; * bind to any address for transparent proxying. Sounds like what we need. How shall we apply it?
  • 14. MMaannaaggiinngg LLCCss 11--44 Capabilities can be handled whith commands: ➢ getcap, display file capabilities ➢ setcap, set file capabilities ➢ getpcaps, display process capabilities ➢ capsh, capability shell wrapper Each capability can have these sets associated: ➢ p, process is permitted the capability ➢ e, capability is marked as effective ➢ i, capability is inherited after an execve()
  • 15. MMaannaaggiinngg LLCCss 11--44 Capabilities can be handled whith commands: ➢ getcap, display file capabilities ➢ setcap, set file capabilities ➢ getpcaps, display process capabilities ➢ capsh, capability shell wrapper Each capability can have these sets associated: ➢ p, process is permitted the capability ➢ e, capability is marked as effective ➢ i, capability is inherited after an execve() This has become a bit
  • 16. MMaannaaggiinngg LLCCss 22--44 Let's start using them: [root@ubuntu ~]# chmod u­s /bin/ping [root@ubuntu ~]# ll /bin/ping ­rwxr­xr­x 1 root root 44168 mag 7 23:51 /bin/ping* [root@ubuntu ~]# getcap /bin/ping [root@ubuntu ~]# setcap CAP_NET_RAW=ep /bin/ping Case sensitive! Case-insensitive
  • 17. MMaannaaggiinngg LLCCss 22--44 Let's start using them: [root@ubuntu ~]# chmod u­s /bin/ping [root@ubuntu ~]# ll /bin/ping ­rwxr­xr­x 1 root root 44168 mag 7 23:51 /bin/ping* [root@ubuntu ~]# getcap /bin/ping [root@ubuntu ~]# setcap CAP_NET_RAW=ep /bin/ping [root@ubuntu ~]# getcap /bin/ping /bin/ping = cap_net_raw+ep [root@ubuntu ~]# Can use this notation with setcap, too
  • 18. MMaannaaggiinngg LLCCss 33--44 Does it work? [alessandro@ubuntu ~]$ ping ­c 3 route­add. net PING route­add. net (195.182.210.166) 56(84) bytes of data. 64 bytes from route­add. net (195.182.210.166): icmp_seq=1 ttl=55 time=30.7 ms 64 bytes from route­add. net (195.182.210.166): icmp_seq=2 ttl=55 time=30.9 ms 64 bytes from route­add. net (195.182.210.166): icmp_seq=3 ttl=55 time=31.3 ms ­­­route­add. net ping statistics ­­­3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 30.709/30.988/31.350/0.304 ms [alessandro@ubuntu ~]$
  • 19. MMaannaaggiinngg LLCCss 44--44 Just a note: ping capabilities in Fedora 20: [root@fedora ~]# getcap /bin/ping /bin/ping = cap_net_admin,cap_net_raw+ep [root@fedora ~]# CAP_NET_ADMIN is for packet tagging: [alessandro@fedora ~]$ ping ­c1 ­m 123 route­add. net PING route­add. net (195.182.210.166) 56(84) bytes of data. Warning: Failed to set mark 123 64 bytes from route­add. net (195.182.210.166): icmp_seq=1 ttl=53 time=45.8 ms ­­­route­add. net ping statistics ­­­1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 45.802/45.802/45.802/0.000 ms [alessandro@fedora ~]$
  • 20. MMoorree eexxaammpplleess 11--1111 Everyone knows of extended POSIX attributes, right? RRiigghhtt?? If you don't, you ought to. ● LC are useful, even necessary to make use of EPA.
  • 21. MMoorree eexxaammpplleess 22--1111 EPAs let you, among the rest, set files that: ­a: can only have data be appended to ­i: are immutable (cannot overwrite or erase) ­S: do synchronous writes on the media ­D: synchronous writes on directories ... (there can be up to 19) Figuring out what filesystem supports which EPA and with not is a matter of guesswork...
  • 22. MMoorree eexxaammpplleess 33--1111 There is one catch, though: ● chattr does not work for ordinary users: [alessandro@fedora ~]$ chattr +i .bashrc chattr: Operation not permitted while setting flags on .bashrc [alessandro@fedora ~]$
  • 23. MMoorree eexxaammpplleess 44--1111 Classical UNIX solution is to make it SUID root: [root@fedora ~]# ll /usr/bin/chattr ­rwxr­xr­x 1 root root 10528 giu 24 13:10 /usr/bin/chattr [root@fedora ~]# chmod u+s /usr/bin/chattr [root@fedora ~]# ll /usr/bin/chattr ­rwsr­xr­x 1 root root 10528 giu 24 13:10 /usr/bin/chattr [root@fedora ~]# It would work: [alessandro@fedora ~]$ chattr +i .bashrc [alessandro@fedora ~]$ lsattr .bashrc ­­­­i­­­­­­­­e­­. bashrc [alessandro@fedora ~]$
  • 24. MMoorree eexxaammpplleess 55--1111 But... [alessandro@fedora ~]$ lsattr ~games/.profile ­­­­­­­­­­­­­e­­/ opt/games/.profile [alessandro@fedora ~]$ chattr +i ~games/.profile [alessandro@fedora ~]$ lsattr ~games/.profile ­­­­i­­­­­­­­e­­/ usr/games/.profile [alessandro@fedora ~]$ Which is normal for superuser rights. We definitely do not want this to happen.
  • 25. MMoorree eexxaammpplleess 66--1111 This is the right way to do it: [root@fedora ~]# chmod u­s /bin/chattr [root@fedora ~]# ll /bin/chattr ­rwxr­xr­x 1 root root 10736 Aug 3 11:36 /bin/chattr [root@fedora ~]# setcap CAP_LINUX_IMMUTABLE=ep /bin/chattr [root@fedora ~]# getcap /bin/chattr /bin/chattr = cap_linux_immutable+ep [root@fedora ~]#
  • 26. MMoorree eexxaammpplleess 77--1111 Which causes the right things to happen: [alessandro@fedora ~]$ lsattr .bashrc ­­­­­­­­­­­­­e­­. bashrc [alessandro@fedora ~]$ chattr +i .bashrc [alessandro@fedora ~]$ lsattr .bashrc ­­­­i­­­­­­­­e­­. bashrc [alessandro@fedora ~]$ chattr +i ~games/.profile chattr: Permission denied while setting flags on /usr/games/.profile [alessandro@fedora ~]$
  • 27. "I'm sorry Dave, I'm afraid I can't do that".
  • 28. MMoorree eexxaammpplleess 88--1111 ●DAC = Discretionary Access Control ● It's the classic Unix “who gets to do what” decision mechanism ● In the filesystem it shows as the rwx file rights ● Linux Capabilities can mess them up as well! :-)
  • 29. MMoorree eexxaammpplleess 99--1111 Let's beep the beeper! (In an xterm) [alessandro@fedora ~]$ beep ­f 2000 ­l 100 Could not open /dev/tty0 or /dev/vc/0 for writing open: No such file or directory [alessandro@fedora ~]$ Man page says: By default beep is not installed with the suid bit set, because that would just be zany. On the other hand, if you do make it suid root, all your problems with beep bailing on ioctl calls will magically vanish, which is pleasant, and the only reason not to is that any suid program is a potential security hole. Conveniently, beep is very short, so auditing it is pretty straightforward.
  • 30. MMoorree eexxaammpplleess 1100--1111 Let's try using LC instead. The error we got was: Could not open /dev/tty0 or /dev/vc/0 for writing That is, it's a DAC issue. [root@fedora ~]# setcap CAP_DAC_OVERRIDE=pe /bin/beep [root@fedora ~]# [alessandro@fedora ~]$ beep ­f 2000 ­l 100 ioctl: Operation not permitted ioctl: Operation not permitted [alessandro@fedora ~]$ CAP_SYS_TTY_CONFIG Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals. From beep(1):
  • 31. MMoorree eexxaammpplleess 1100--1111 Both capabilities together: [root@fedora ~]# setcap > CAP_DAC_OVERRIDE,CAP_SYS_TTY_CONFIG=pe /bin/beep [root@fedora ~]# [alessandro@fedora ~]$ beep ­f 2000 ­l 100 [alessandro@fedora ~]$
  • 32. "All right Dave, I think I figured out a way to do that"
  • 33. Extracting and Decoding LC info 1-4 What LCs are active now? [root@ubuntu ~]# cp /bin/bash /tmp/ [root@ubuntu ~]# setcap CAP_KILL,CAP_DAC_OVERRIDE+epi /tmp/bash [root@ubuntu ~]# getcap /tmp/bash /tmp/bash = cap_dac_override,cap_kill+eip [root@ubuntu ~]# Inheritance is set [alessandro@ubuntu ~]$ /tmp/bash ­l [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `15400': = cap_dac_override,cap_kill+ep [alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000022 CapEff: 0000000000000022 CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$ Inheritance is missing!
  • 34. Extracting and Decoding LC info 2-4 Decoding Hex LC bitmap: [alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000022 CapEff: 0000000000000022 CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$ capsh ­­decode= 0000000000000000 0x0000000000000000= [alessandro@ubuntu ~]$ capsh ­­decode= 0000000000000022 0x0000000000000022=cap_dac_override,cap_kill [alessandro@ubuntu ~]$ Still represented as a set
  • 35. Extracting and Decoding LC info 3-4 0000001fffffffff = Capability Bounding Set 1 = allowable cap (kept if present) 0 = masked cap (or no LC associated to bit) Bits are mapped one-to-one to a LC 0000001fffffffff is a 64-bit mask ● It's been a 64 bit mask since libcap vers. 2.03 ● Before it was 32-bit
  • 36. Extracting and Decoding LC info 4-4 Number of bit-mapped capabilities is consistent with zero-based value stored in /proc/sys/kernel/cap_last_cap Kernel 3.14.19:1fffffffff → 1+9*4=37 /proc/sys/kernel/cap_last_cap = 36 Kernel 3.16.3: 3fffffffff → 2+9*4=38 /proc/sys/kernel/cap_last_cap = 37
  • 37. SSyysstteemm CCoonnffiigguurraattiioonn 11--22 capability.conf1: users who inherit LCs [root@ubuntu ~]# cat /etc/security/capability.conf cap_kill alessandro none * [root@ubuntu ~]# Changes are effective after a new login: Ubuntu 14.04.1 LTS ubuntu tty1 If missing all users get all available capabilities! CAP_KILL is now inherited ubuntu login: alessandro Password: [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `8586': = cap_kill+i [alessandro@ubuntu ~]$
  • 38. SSyysstteemm CCoonnffiigguurraattiioonn 22--22 Child process of new shell now does inherit LCs: [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `16332': = cap_kill+i [alessandro@ubuntu ~]$ getcap /tmp/bash /tmp/bash = cap_dac_override,cap_kill+eip [alessandro@ubuntu ~]$ /tmp/bash ­l [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `16849': = cap_kill+eip cap_dac_override+ep [alessandro@ubuntu ~]$ Cap is in config file Cap is not in config file 1) Ubuntu package libpam-cap is required. Fedora has package libcap, but this setup does not work (PAM failure: System error)
  • 39. Capability aassssiiggnnmmeenntt 11--1100 2.2.11 2.6.25 optional 2.6.33 built-in System-wide bounding-set Per-thread bounding-set ● Before 2.6.25 Bounding Set was system-wide ● Beginning 2.6.25 it's per-thread ● Can be dropped by process with CAP_SETPCAP via prctl(2) PR_CAPBSET_DROP operation ● Inherited at fork(2), preserved on execve(2) ● Optional until 2.6.33, then built-in
  • 40. Capability aassssiiggnnmmeenntt 22--1100 N New P Previous F Capab. set to the File e Effective capability p Permitted capability i Inherited capability CBS Capability Bounding Set1 New capabilities used to be computed this way: Np (Pi∪Fi)∩(Fp∪CBS) Ne Fe∪Np Ni Pi 1) Mask of permitted capabilities retained after an execve(2). No effect on inherited caps. From kernel 2.6.25, limits inherited capabilities that can be added to self even if they are permitted.
  • 41. Capability aassssiiggnnmmeenntt 33--1100 N New P Previous F Capab. set to the File e Effective capability p Permitted capability i Inherited capability CBS Capability Bounding Set1 Now they are computed this way: Np (Pi∪Fi)∩(Fp∪CBS) Ne Fe ? Np : 02 Ni Pi 2) Not and AND any more, because Effective set is a bit, no longer a set (one bit per capability) as it used to be.
  • 42. Capability aassssiiggnnmmeenntt 44--1100 What does the Capability Bounding Set do? 1) On an execve(2), it ANDs out thread's permitted caps from file's permitted caps. 2) Limits thread's inheritable caps that can be added with a capset(2) (kernel >= 2.6.25). a)Filtered capability can still be permitted b)Inheritable cap can still be set if it's in file's inheritable set.
  • 43. Capability aassssiiggnnmmeenntt 55--1100 Possibile security risk: undesired permitted caps. Consider the situation: 1) Parent process has CAP_X Inh, not in CBS 2) CAP_X cannot be in Perm set a) But it is retained in Inh set by children 3) Process can still exec child with CAP_X in both Perm and Inh sets! Dropping CBS can instill a false sense of security! Alone it's not sufficient!
  • 44. Capability aassssiiggnnmmeenntt 66--1100 Like SUID, shell scripts' LC are not honored: [alessandro@ubuntu ~]$ cat ~/bin/test_cap.sh #!/bin/dash getpcaps $$ grep ^Cap /proc/$$/status [alessandro@ubuntu ~]$ getcap ~/bin/test_cap.sh /home/alessandro/bin/test_cap.sh = cap_linux_immutable+ep [alessandro@ubuntu ~]$ test_cap.sh Capabilities for `9093': = Not honored CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 Not honored CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$
  • 45. Capability aassssiiggnnmmeenntt 77--1100 Only binary executables' LC are honored: [alessandro@ubuntu ~]$ cat ~/bin/test2_cap.sh #!/tmp/dash getpcaps $$ grep ^Cap /proc/$$/status [alessandro@ubuntu ~]$ getcap ~/bin/test2_cap.sh /tmp/dash /tmp/dash = cap_linux_immutable+ep [alessandro@ubuntu ~]$ test2_cap.sh Capabilities for `9218': = cap_linux_immutable+ep CapInh: 0000000000000000 CapPrm: 0000000000000200 CapEff: 0000000000000200 Now honored Now honored CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$
  • 46. Capability aassssiiggnnmmeenntt 88--1100 Command capsh can reduce shell CBS: [alessandro@ubuntu ~]$ getcap $(which capsh) /sbin/capsh = cap_setpcap+p [alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$ capsh ­­drop= cap_net_raw ­­[ alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000001fffffdfff [alessandro@ubuntu ~]$
  • 47. Capability aassssiiggnnmmeenntt 99--1100 CBS reduction with capsh. Initial state: [alessandro@ubuntu ~]$ getcap $(which capsh ping) /sbin/capsh = cap_setpcap+p /bin/ping = cap_net_raw+p [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `7842': = [alessandro@ubuntu ~]$ ping ­qc1 route­add. net PING route­add. net (195.182.210.166) 56(84) bytes of data. ­­­route­add. net ping statistics ­­­1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 27.718/27.718/27.718/0.000 ms [alessandro@ubuntu ~]$
  • 48. CCaappaabbiilliittyy aassssiiggnnmmeenntt 1100--1100 Running new shell with lowered CBS via capsh: [alessandro@ubuntu ~]$ capsh ­­drop= cap_net_raw ­­[ alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000001fffffdfff [alessandro@ubuntu ~]$ capsh ­­decode= 2000 0x0000000000002000=cap_net_raw [alessandro@ubuntu ~]$ ping ­qc1 route­add. net ping: icmp open socket: Operation not permitted [alessandro@ubuntu ~]$
  • 49. DDiissttrroo ssttaattuuss 11--77 The plan is to replace as many SUID/SGID executables with capabilities as possible: ● Fedora: Last update: 2011-04-05, completion: 100% (many, but not all, SUID taken off) ● Ubuntu: WIP (Last update: 2011-09-27) Not everything SUID could be ported to Linux Capabilities (yet)
  • 50. DDiissttrroo ssttaattuuss 22--77 Fedora 20 (Heisenbug): a couple dozen suid files (in a non-standard LXDE install) # find / ­xdev ­type f ­perm /111 ­perm /4000 ­user root | wc ­l 23 # /usr/sbin/mount.nfs /usr/bin/mount /usr/bin/chsh /usr/bin/write /usr/bin/fusermount /usr/bin/umount /usr/bin/chage /usr/bin/passwd /usr/bin/newgrp /usr/bin/locate /usr/bin/su /usr/bin/sudo /usr/bin/gpasswd /usr/bin/cgexec /usr/bin/chfn /usr/bin/Xorg /usr/bin/ssh­agent /usr/bin/crontab /usr/bin/at /usr/bin/ksu /usr/sbin/postqueue /usr/sbin/postdrop /usr/sbin/ssmtp /usr/bin/pkexec
  • 51. DDiissttrroo ssttaattuuss 33--77 Ubuntu 14.04.1 (Trusty Tahr): a few more (also in a non-standard, XFCE install) # find / /usr ­xdev ­type f ­perm /111 ­perm /4000 ­user root | wc ­l 29 # They used to be 34 in 13.10 (Saucy Salamander)
  • 52. DDiissttrroo ssttaattuuss 44--77 Let's see one case where LC do not work: [alessandro@fedora ~]$ ll /usr/bin/at ­rwsr­xr­x 1 root root 53208 5 dic 12.34 /usr/bin/at [alessandro@fedora ~]$ getcap /usr/bin/at [alessandro@fedora ~]$ Let's strip off the SUID bit and any cap: [root@fedora ~]# chmod u­s /usr/bin/at [root@fedora ~]# setcap ­r /usr/bin/at [root@fedora ~]# [alessandro@fedora ~]$ at ­f ~/bin/at.sh now+5min cannot set egid: Operation not permitted [alessandro@fedora ~]$
  • 53. DDiissttrroo ssttaattuuss 55--77 Let's try to make it happy: [root@fedora ~]# setcap CAP_SETGID+ep /usr/bin/at [root@fedora ~]# No joy: [alessandro@fedora ~]$ at ­f ~/bin/at.sh now+5min cannot set euid: Operation not permitted [alessandro@fedora ~]$ [root@fedora ~]# setcap CAP_SETUID,CAP_SETGID+ep /usr/bin/at [root@fedora ~]# [alessandro@fedora ~]$ at ­f ~/bin/at.sh now+5min PAM failure: System error [alessandro@fedora ~]$ :­(
  • 54. DDiissttrroo ssttaattuuss 66--77 Log says: [alessandro@fedora ~]$ tail ­1 /var/log/secure Feb 23 10:08:43 fedora at: PAM audit_log_acct_message() failed: Operation not permitted [alessandro@fedora ~]$ Game over, for now.
  • 55. DDiissttrroo ssttaattuuss 77--77 Ubuntu has taken a different approach: ● it uses the same at/atd implementation (by Thomas Koenig, ig25@rz.uni-karlsruhe.de) ● it runs the daemon as user daemon ● the client command is SUID and SGUI daemon:daemon, allowing it to:  write into /var/spool/cron/atjobs/.SEQ  send atd signals Old school, simple, effective, safe.
  • 56. IIssssuueess?? 11--22 «Why are not more people aware of and using capabilities? I believe that poor documentation is the primary reason. For example, Fedora 10 is missing the man pages for getpcaps, capsh and pam_cap, and the Fedora Security Guide does not even mention capabilities» (Finnbarr P. Murphy, May 28th, 2009 ) Every bit as true today!
  • 57. IIssssuueess?? 22--22 ●Online distro docs stopped years ago ● Fedora Security Guide in same condition in 19.1, and is absent in 20 documentation ➢ At least man pages are there ➢ SELinux only future? ● Behaviour of LC changing over time ➢ Same commands, capabilities and sets yield different result from 2.6.24 with no errors ● libcap-ng should make programming easier
  • 58. AAkknnoowwlleeddggmmeennttss 11--11 ● The Linux man-pages Project people ( https://www.kernel.org/doc/man-pages/) ● Finnbarr P. Murphy (blog post and references, useful though outdated) ● And kernel developers, of course!  Andrew G. Morgan <morgan@kernel.org>  Alexander Kjeldaas <astor@guardian.no> with help from Aleph1, Roland Buresund and Andrew Main.