SlideShare ist ein Scribd-Unternehmen logo

Linux Capabilities - eng - v2.1.5, compact

Als ODP, PDF herunterladen
Alessandro Selli
Alessandro Selli

Linux Capabilities: A better root than SUID root Presented at LinuxCon2014, Düsseldorf, Oct. 15th 2014

Software
1 von 58
Linux Capabilites Table of Contents Title Pages Title Pages Table of Contents 1 Extracting and... 4 Copyright Notice 1 System Configuration 2 LC: what they are... 3 Capability Assignment 10 The ping case 4 Distro Status 7 What LC for ping? 3 Issues? 2 Managing LCs 4 Aknowledgments 1 More examples 10
CCooppyyrriigghhtt NNoottiiccee Presentation by: Alessandro Selli <alessandroselli@linux.com> Copyright © 2014 Alessandro Selli. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later one published by the Free Software Foundation, with the Invariant Section being the present slide (number 1), no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is available on-line or can be obtained from the author. Version 2.1.5, 2014/10/28
Linux Capabilites: what they are and do 1-3 ● Started as an implementation of POSIX:  1003.1e (API), "Protection, Audit and Control Interfaces"  1003.2c (Shell and Utilities), "Protection and Control Interfaces" ● Sometimes called Linux POSIX Capabilities ● 1003.1e and 1003.2c were last revised in 1997 ● In 1999 they were set as withdrawn drafts ● Linux has thus gone it's own way
Linux Capabilites: what they are and do 2-3 Advantages: ● They allow delegation of super-user rights to unprivileged processes, like suid bit ● They are recorded on the filesystem, like suid bit ● They do not work on a “everything or nothing” basis, unlike suid In short: ● they allow a process to do some selected things with root rights, while not anything else
Linux Capabilites: what they are and do 3-3 Disadvantages: ● Commands need code to be made LC-conscious ● Some FS do not support LC (NFS v.3, though squashfs, tmpfs and f2fs now do): [root@debian ~]# getcap /mnt/nfs/nfsserver/dumpdates Failed to get capabilities of file `/mnt/nfs/nfsserver/dumpdates' (Operation not supported) [root@debian ~]# ● LCs are not dropped like SUID  The newer libcap-ng libs makes this easy
TThhee ppiinngg ccaassee 11--44 ● A classic example: ping ● It needs superuser rights to send echo-request ICMP packets ● You surely do not want to let anyone be able to produce arbitrary ICMP packets! ● This is the traditional approach:
TThhee ppiinngg ccaassee 22--44 Starting situation: [alessandro@ubuntu ~]$ lsb_release ­drc Description: Ubuntu 14.04.1 LTS Release: 14.04 Codename: trusty [alessandro@ubuntu ~]$ ll /bin/ping ­rwsr­xr­x 1 root root 44178 mag 7 23:51 /bin/ping [alessandro@ubuntu ~]$ ping ­c 3 route­add. net PING route­add. net (195.182.210.166) 56(84) bytes of data. 64 bytes from route­add. net (195.182.210.166): icmp_seq=1 ttl=55 time=46.8 ms 64 bytes from route­add. net (195.182.210.166): icmp_seq=2 ttl=55 time=46.6 ms 64 bytes from route­add. net (195.182.210.166): icmp_seq=3 ttl=55 time=45.5 ms ­­­route­add. net ping statistics ­­­3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 45.549/46.329/46.829/0.558 ms [alessandro@ubuntu ~]$
TThhee ppiinngg ccaassee 33--44 ● According to standards, the process rights are those of the user who launched the exec Not of the owner of the executable file! ● Unless the suid bit is set, that is. ­rwsr­xr­x 1 root root 44178 mag 7 23:51 /bin/ping
TThhee ppiinngg ccaassee 44--44 Let's “sabotage” ping: [root@ubuntu ~]# chmod u­s /bin/ping [root@ubuntu ~]# ll /bin/ping ­rwxr­xr­x 1 root root 44178 mag 7 23:51 /bin/ping [root@ubuntu ~]# The aftermath: [alessandro@ubuntu ~]$ ping ­c 3 route­add. net ping: icmp open socket: Operation not permitted [alessandro@ubuntu ~]$ If not otherwise stated, Ubuntu and Fedora it's the same.
WWhhaatt LLCC ffoorr ppiinngg?? 11--33 ● We want both the power and the safety ● We want to be able to open ICMP sockets without assuming full root privileges! ● How do Linux Capabilities help us out? ● RTFM, of course! ➢ man capabilities(7) ➢ Most up-to-date list & info: linux/include/uapi/linux/capability.h
WWhhaatt LLCC ffoorr ppiinngg?? 22--33 We get many capabilities to choose from: AUDIT_CONTROL AUDIT_WRITE BLOCK_SUSPEND CHOWN DAC_OVERRIDE DAC_READ_SEARCHC AP_LEASE FOWNER FSETID IPC_LOCK IPC_OWNER KILL LEASE LINUX_IMMUTABLE MAC_ADMIN MAC_OVERRIDE MKNOD NET_ADMIN NET_BIND_SERVICE This is what we need now NET_RAW SETGID SETFCAP SETPCAP SETUID SYS_ADMIN SYS_BOOT SYS_CHROOT SYS_MODULE SYS_NICE SYS_PACCT SYS_PTRACE SYS_RAWIO SYS_RESOURCE SYS_TIME SYS_TTY_CONFIG SYSLOG WAKE_ALARM
WWhhaatt LLCC ffoorr ppiinngg?? 22--33 We get many capabilities to choose from: AUDIT_CONTROL AUDIT_WRITE BLOCK_SUSPEND CHOWN DAC_OVERRIDE DAC_READ_SEARCHC AP_LEASE Leading CAP_ omitted everywhere FOWNER FSETID IPC_LOCK IPC_OWNER KILL LEASE LINUX_IMMUTABLE MAC_ADMIN MAC_OVERRIDE MKNOD NET_ADMIN NET_BIND_SERVICE This is what we need now NET_RAW SETGID SETFCAP SETPCAP SETUID SYS_ADMIN SYS_BOOT SYS_CHROOT SYS_MODULE SYS_NICE SYS_PACCT SYS_PTRACE SYS_RAWIO SYS_RESOURCE SYS_TIME SYS_TTY_CONFIG SYSLOG WAKE_ALARM
WWhhaatt LLCC ffoorr ppiinngg?? 33--33 Man page says: CAP_NET_RAW * use RAW and PACKET sockets; * bind to any address for transparent proxying. Sounds like what we need. How shall we apply it?
MMaannaaggiinngg LLCCss 11--44 Capabilities can be handled whith commands: ➢ getcap, display file capabilities ➢ setcap, set file capabilities ➢ getpcaps, display process capabilities ➢ capsh, capability shell wrapper Each capability can have these sets associated: ➢ p, process is permitted the capability ➢ e, capability is marked as effective ➢ i, capability is inherited after an execve()
MMaannaaggiinngg LLCCss 11--44 Capabilities can be handled whith commands: ➢ getcap, display file capabilities ➢ setcap, set file capabilities ➢ getpcaps, display process capabilities ➢ capsh, capability shell wrapper Each capability can have these sets associated: ➢ p, process is permitted the capability ➢ e, capability is marked as effective ➢ i, capability is inherited after an execve() This has become a bit
MMaannaaggiinngg LLCCss 22--44 Let's start using them: [root@ubuntu ~]# chmod u­s /bin/ping [root@ubuntu ~]# ll /bin/ping ­rwxr­xr­x 1 root root 44168 mag 7 23:51 /bin/ping* [root@ubuntu ~]# getcap /bin/ping [root@ubuntu ~]# setcap CAP_NET_RAW=ep /bin/ping Case sensitive! Case-insensitive
MMaannaaggiinngg LLCCss 22--44 Let's start using them: [root@ubuntu ~]# chmod u­s /bin/ping [root@ubuntu ~]# ll /bin/ping ­rwxr­xr­x 1 root root 44168 mag 7 23:51 /bin/ping* [root@ubuntu ~]# getcap /bin/ping [root@ubuntu ~]# setcap CAP_NET_RAW=ep /bin/ping [root@ubuntu ~]# getcap /bin/ping /bin/ping = cap_net_raw+ep [root@ubuntu ~]# Can use this notation with setcap, too
MMaannaaggiinngg LLCCss 33--44 Does it work? [alessandro@ubuntu ~]$ ping ­c 3 route­add. net PING route­add. net (195.182.210.166) 56(84) bytes of data. 64 bytes from route­add. net (195.182.210.166): icmp_seq=1 ttl=55 time=30.7 ms 64 bytes from route­add. net (195.182.210.166): icmp_seq=2 ttl=55 time=30.9 ms 64 bytes from route­add. net (195.182.210.166): icmp_seq=3 ttl=55 time=31.3 ms ­­­route­add. net ping statistics ­­­3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 30.709/30.988/31.350/0.304 ms [alessandro@ubuntu ~]$
MMaannaaggiinngg LLCCss 44--44 Just a note: ping capabilities in Fedora 20: [root@fedora ~]# getcap /bin/ping /bin/ping = cap_net_admin,cap_net_raw+ep [root@fedora ~]# CAP_NET_ADMIN is for packet tagging: [alessandro@fedora ~]$ ping ­c1 ­m 123 route­add. net PING route­add. net (195.182.210.166) 56(84) bytes of data. Warning: Failed to set mark 123 64 bytes from route­add. net (195.182.210.166): icmp_seq=1 ttl=53 time=45.8 ms ­­­route­add. net ping statistics ­­­1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 45.802/45.802/45.802/0.000 ms [alessandro@fedora ~]$
MMoorree eexxaammpplleess 11--1111 Everyone knows of extended POSIX attributes, right? RRiigghhtt?? If you don't, you ought to. ● LC are useful, even necessary to make use of EPA.
MMoorree eexxaammpplleess 22--1111 EPAs let you, among the rest, set files that: ­a: can only have data be appended to ­i: are immutable (cannot overwrite or erase) ­S: do synchronous writes on the media ­D: synchronous writes on directories ... (there can be up to 19) Figuring out what filesystem supports which EPA and with not is a matter of guesswork...
MMoorree eexxaammpplleess 33--1111 There is one catch, though: ● chattr does not work for ordinary users: [alessandro@fedora ~]$ chattr +i .bashrc chattr: Operation not permitted while setting flags on .bashrc [alessandro@fedora ~]$
MMoorree eexxaammpplleess 44--1111 Classical UNIX solution is to make it SUID root: [root@fedora ~]# ll /usr/bin/chattr ­rwxr­xr­x 1 root root 10528 giu 24 13:10 /usr/bin/chattr [root@fedora ~]# chmod u+s /usr/bin/chattr [root@fedora ~]# ll /usr/bin/chattr ­rwsr­xr­x 1 root root 10528 giu 24 13:10 /usr/bin/chattr [root@fedora ~]# It would work: [alessandro@fedora ~]$ chattr +i .bashrc [alessandro@fedora ~]$ lsattr .bashrc ­­­­i­­­­­­­­e­­. bashrc [alessandro@fedora ~]$
MMoorree eexxaammpplleess 55--1111 But... [alessandro@fedora ~]$ lsattr ~games/.profile ­­­­­­­­­­­­­e­­/ opt/games/.profile [alessandro@fedora ~]$ chattr +i ~games/.profile [alessandro@fedora ~]$ lsattr ~games/.profile ­­­­i­­­­­­­­e­­/ usr/games/.profile [alessandro@fedora ~]$ Which is normal for superuser rights. We definitely do not want this to happen.
MMoorree eexxaammpplleess 66--1111 This is the right way to do it: [root@fedora ~]# chmod u­s /bin/chattr [root@fedora ~]# ll /bin/chattr ­rwxr­xr­x 1 root root 10736 Aug 3 11:36 /bin/chattr [root@fedora ~]# setcap CAP_LINUX_IMMUTABLE=ep /bin/chattr [root@fedora ~]# getcap /bin/chattr /bin/chattr = cap_linux_immutable+ep [root@fedora ~]#
MMoorree eexxaammpplleess 77--1111 Which causes the right things to happen: [alessandro@fedora ~]$ lsattr .bashrc ­­­­­­­­­­­­­e­­. bashrc [alessandro@fedora ~]$ chattr +i .bashrc [alessandro@fedora ~]$ lsattr .bashrc ­­­­i­­­­­­­­e­­. bashrc [alessandro@fedora ~]$ chattr +i ~games/.profile chattr: Permission denied while setting flags on /usr/games/.profile [alessandro@fedora ~]$
"I'm sorry Dave, I'm afraid I can't do that".
MMoorree eexxaammpplleess 88--1111 ●DAC = Discretionary Access Control ● It's the classic Unix “who gets to do what” decision mechanism ● In the filesystem it shows as the rwx file rights ● Linux Capabilities can mess them up as well! :-)
MMoorree eexxaammpplleess 99--1111 Let's beep the beeper! (In an xterm) [alessandro@fedora ~]$ beep ­f 2000 ­l 100 Could not open /dev/tty0 or /dev/vc/0 for writing open: No such file or directory [alessandro@fedora ~]$ Man page says: By default beep is not installed with the suid bit set, because that would just be zany. On the other hand, if you do make it suid root, all your problems with beep bailing on ioctl calls will magically vanish, which is pleasant, and the only reason not to is that any suid program is a potential security hole. Conveniently, beep is very short, so auditing it is pretty straightforward.
MMoorree eexxaammpplleess 1100--1111 Let's try using LC instead. The error we got was: Could not open /dev/tty0 or /dev/vc/0 for writing That is, it's a DAC issue. [root@fedora ~]# setcap CAP_DAC_OVERRIDE=pe /bin/beep [root@fedora ~]# [alessandro@fedora ~]$ beep ­f 2000 ­l 100 ioctl: Operation not permitted ioctl: Operation not permitted [alessandro@fedora ~]$ CAP_SYS_TTY_CONFIG Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals. From beep(1):
MMoorree eexxaammpplleess 1100--1111 Both capabilities together: [root@fedora ~]# setcap > CAP_DAC_OVERRIDE,CAP_SYS_TTY_CONFIG=pe /bin/beep [root@fedora ~]# [alessandro@fedora ~]$ beep ­f 2000 ­l 100 [alessandro@fedora ~]$
"All right Dave, I think I figured out a way to do that"
Extracting and Decoding LC info 1-4 What LCs are active now? [root@ubuntu ~]# cp /bin/bash /tmp/ [root@ubuntu ~]# setcap CAP_KILL,CAP_DAC_OVERRIDE+epi /tmp/bash [root@ubuntu ~]# getcap /tmp/bash /tmp/bash = cap_dac_override,cap_kill+eip [root@ubuntu ~]# Inheritance is set [alessandro@ubuntu ~]$ /tmp/bash ­l [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `15400': = cap_dac_override,cap_kill+ep [alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000022 CapEff: 0000000000000022 CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$ Inheritance is missing!
Extracting and Decoding LC info 2-4 Decoding Hex LC bitmap: [alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000022 CapEff: 0000000000000022 CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$ capsh ­­decode= 0000000000000000 0x0000000000000000= [alessandro@ubuntu ~]$ capsh ­­decode= 0000000000000022 0x0000000000000022=cap_dac_override,cap_kill [alessandro@ubuntu ~]$ Still represented as a set
Extracting and Decoding LC info 3-4 0000001fffffffff = Capability Bounding Set 1 = allowable cap (kept if present) 0 = masked cap (or no LC associated to bit) Bits are mapped one-to-one to a LC 0000001fffffffff is a 64-bit mask ● It's been a 64 bit mask since libcap vers. 2.03 ● Before it was 32-bit
Extracting and Decoding LC info 4-4 Number of bit-mapped capabilities is consistent with zero-based value stored in /proc/sys/kernel/cap_last_cap Kernel 3.14.19:1fffffffff → 1+9*4=37 /proc/sys/kernel/cap_last_cap = 36 Kernel 3.16.3: 3fffffffff → 2+9*4=38 /proc/sys/kernel/cap_last_cap = 37
SSyysstteemm CCoonnffiigguurraattiioonn 11--22 capability.conf1: users who inherit LCs [root@ubuntu ~]# cat /etc/security/capability.conf cap_kill alessandro none * [root@ubuntu ~]# Changes are effective after a new login: Ubuntu 14.04.1 LTS ubuntu tty1 If missing all users get all available capabilities! CAP_KILL is now inherited ubuntu login: alessandro Password: [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `8586': = cap_kill+i [alessandro@ubuntu ~]$
SSyysstteemm CCoonnffiigguurraattiioonn 22--22 Child process of new shell now does inherit LCs: [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `16332': = cap_kill+i [alessandro@ubuntu ~]$ getcap /tmp/bash /tmp/bash = cap_dac_override,cap_kill+eip [alessandro@ubuntu ~]$ /tmp/bash ­l [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `16849': = cap_kill+eip cap_dac_override+ep [alessandro@ubuntu ~]$ Cap is in config file Cap is not in config file 1) Ubuntu package libpam-cap is required. Fedora has package libcap, but this setup does not work (PAM failure: System error)
Capability aassssiiggnnmmeenntt 11--1100 2.2.11 2.6.25 optional 2.6.33 built-in System-wide bounding-set Per-thread bounding-set ● Before 2.6.25 Bounding Set was system-wide ● Beginning 2.6.25 it's per-thread ● Can be dropped by process with CAP_SETPCAP via prctl(2) PR_CAPBSET_DROP operation ● Inherited at fork(2), preserved on execve(2) ● Optional until 2.6.33, then built-in
Capability aassssiiggnnmmeenntt 22--1100 N New P Previous F Capab. set to the File e Effective capability p Permitted capability i Inherited capability CBS Capability Bounding Set1 New capabilities used to be computed this way: Np (Pi∪Fi)∩(Fp∪CBS) Ne Fe∪Np Ni Pi 1) Mask of permitted capabilities retained after an execve(2). No effect on inherited caps. From kernel 2.6.25, limits inherited capabilities that can be added to self even if they are permitted.
Capability aassssiiggnnmmeenntt 33--1100 N New P Previous F Capab. set to the File e Effective capability p Permitted capability i Inherited capability CBS Capability Bounding Set1 Now they are computed this way: Np (Pi∪Fi)∩(Fp∪CBS) Ne Fe ? Np : 02 Ni Pi 2) Not and AND any more, because Effective set is a bit, no longer a set (one bit per capability) as it used to be.
Capability aassssiiggnnmmeenntt 44--1100 What does the Capability Bounding Set do? 1) On an execve(2), it ANDs out thread's permitted caps from file's permitted caps. 2) Limits thread's inheritable caps that can be added with a capset(2) (kernel >= 2.6.25). a)Filtered capability can still be permitted b)Inheritable cap can still be set if it's in file's inheritable set.
Capability aassssiiggnnmmeenntt 55--1100 Possibile security risk: undesired permitted caps. Consider the situation: 1) Parent process has CAP_X Inh, not in CBS 2) CAP_X cannot be in Perm set a) But it is retained in Inh set by children 3) Process can still exec child with CAP_X in both Perm and Inh sets! Dropping CBS can instill a false sense of security! Alone it's not sufficient!
Capability aassssiiggnnmmeenntt 66--1100 Like SUID, shell scripts' LC are not honored: [alessandro@ubuntu ~]$ cat ~/bin/test_cap.sh #!/bin/dash getpcaps $$ grep ^Cap /proc/$$/status [alessandro@ubuntu ~]$ getcap ~/bin/test_cap.sh /home/alessandro/bin/test_cap.sh = cap_linux_immutable+ep [alessandro@ubuntu ~]$ test_cap.sh Capabilities for `9093': = Not honored CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 Not honored CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$
Capability aassssiiggnnmmeenntt 77--1100 Only binary executables' LC are honored: [alessandro@ubuntu ~]$ cat ~/bin/test2_cap.sh #!/tmp/dash getpcaps $$ grep ^Cap /proc/$$/status [alessandro@ubuntu ~]$ getcap ~/bin/test2_cap.sh /tmp/dash /tmp/dash = cap_linux_immutable+ep [alessandro@ubuntu ~]$ test2_cap.sh Capabilities for `9218': = cap_linux_immutable+ep CapInh: 0000000000000000 CapPrm: 0000000000000200 CapEff: 0000000000000200 Now honored Now honored CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$
Capability aassssiiggnnmmeenntt 88--1100 Command capsh can reduce shell CBS: [alessandro@ubuntu ~]$ getcap $(which capsh) /sbin/capsh = cap_setpcap+p [alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$ capsh ­­drop= cap_net_raw ­­[ alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000001fffffdfff [alessandro@ubuntu ~]$
Capability aassssiiggnnmmeenntt 99--1100 CBS reduction with capsh. Initial state: [alessandro@ubuntu ~]$ getcap $(which capsh ping) /sbin/capsh = cap_setpcap+p /bin/ping = cap_net_raw+p [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `7842': = [alessandro@ubuntu ~]$ ping ­qc1 route­add. net PING route­add. net (195.182.210.166) 56(84) bytes of data. ­­­route­add. net ping statistics ­­­1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 27.718/27.718/27.718/0.000 ms [alessandro@ubuntu ~]$
CCaappaabbiilliittyy aassssiiggnnmmeenntt 1100--1100 Running new shell with lowered CBS via capsh: [alessandro@ubuntu ~]$ capsh ­­drop= cap_net_raw ­­[ alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000001fffffdfff [alessandro@ubuntu ~]$ capsh ­­decode= 2000 0x0000000000002000=cap_net_raw [alessandro@ubuntu ~]$ ping ­qc1 route­add. net ping: icmp open socket: Operation not permitted [alessandro@ubuntu ~]$
DDiissttrroo ssttaattuuss 11--77 The plan is to replace as many SUID/SGID executables with capabilities as possible: ● Fedora: Last update: 2011-04-05, completion: 100% (many, but not all, SUID taken off) ● Ubuntu: WIP (Last update: 2011-09-27) Not everything SUID could be ported to Linux Capabilities (yet)
DDiissttrroo ssttaattuuss 22--77 Fedora 20 (Heisenbug): a couple dozen suid files (in a non-standard LXDE install) # find / ­xdev ­type f ­perm /111 ­perm /4000 ­user root | wc ­l 23 # /usr/sbin/mount.nfs /usr/bin/mount /usr/bin/chsh /usr/bin/write /usr/bin/fusermount /usr/bin/umount /usr/bin/chage /usr/bin/passwd /usr/bin/newgrp /usr/bin/locate /usr/bin/su /usr/bin/sudo /usr/bin/gpasswd /usr/bin/cgexec /usr/bin/chfn /usr/bin/Xorg /usr/bin/ssh­agent /usr/bin/crontab /usr/bin/at /usr/bin/ksu /usr/sbin/postqueue /usr/sbin/postdrop /usr/sbin/ssmtp /usr/bin/pkexec
DDiissttrroo ssttaattuuss 33--77 Ubuntu 14.04.1 (Trusty Tahr): a few more (also in a non-standard, XFCE install) # find / /usr ­xdev ­type f ­perm /111 ­perm /4000 ­user root | wc ­l 29 # They used to be 34 in 13.10 (Saucy Salamander)
DDiissttrroo ssttaattuuss 44--77 Let's see one case where LC do not work: [alessandro@fedora ~]$ ll /usr/bin/at ­rwsr­xr­x 1 root root 53208 5 dic 12.34 /usr/bin/at [alessandro@fedora ~]$ getcap /usr/bin/at [alessandro@fedora ~]$ Let's strip off the SUID bit and any cap: [root@fedora ~]# chmod u­s /usr/bin/at [root@fedora ~]# setcap ­r /usr/bin/at [root@fedora ~]# [alessandro@fedora ~]$ at ­f ~/bin/at.sh now+5min cannot set egid: Operation not permitted [alessandro@fedora ~]$
DDiissttrroo ssttaattuuss 55--77 Let's try to make it happy: [root@fedora ~]# setcap CAP_SETGID+ep /usr/bin/at [root@fedora ~]# No joy: [alessandro@fedora ~]$ at ­f ~/bin/at.sh now+5min cannot set euid: Operation not permitted [alessandro@fedora ~]$ [root@fedora ~]# setcap CAP_SETUID,CAP_SETGID+ep /usr/bin/at [root@fedora ~]# [alessandro@fedora ~]$ at ­f ~/bin/at.sh now+5min PAM failure: System error [alessandro@fedora ~]$ :­(
DDiissttrroo ssttaattuuss 66--77 Log says: [alessandro@fedora ~]$ tail ­1 /var/log/secure Feb 23 10:08:43 fedora at: PAM audit_log_acct_message() failed: Operation not permitted [alessandro@fedora ~]$ Game over, for now.
DDiissttrroo ssttaattuuss 77--77 Ubuntu has taken a different approach: ● it uses the same at/atd implementation (by Thomas Koenig, ig25@rz.uni-karlsruhe.de) ● it runs the daemon as user daemon ● the client command is SUID and SGUI daemon:daemon, allowing it to:  write into /var/spool/cron/atjobs/.SEQ  send atd signals Old school, simple, effective, safe.
IIssssuueess?? 11--22 «Why are not more people aware of and using capabilities? I believe that poor documentation is the primary reason. For example, Fedora 10 is missing the man pages for getpcaps, capsh and pam_cap, and the Fedora Security Guide does not even mention capabilities» (Finnbarr P. Murphy, May 28th, 2009 ) Every bit as true today!
IIssssuueess?? 22--22 ●Online distro docs stopped years ago ● Fedora Security Guide in same condition in 19.1, and is absent in 20 documentation ➢ At least man pages are there ➢ SELinux only future? ● Behaviour of LC changing over time ➢ Same commands, capabilities and sets yield different result from 2.6.24 with no errors ● libcap-ng should make programming easier
AAkknnoowwlleeddggmmeennttss 11--11 ● The Linux man-pages Project people ( https://www.kernel.org/doc/man-pages/) ● Finnbarr P. Murphy (blog post and references, useful though outdated) ● And kernel developers, of course!  Andrew G. Morgan <morgan@kernel.org>  Alexander Kjeldaas <astor@guardian.no> with help from Aleph1, Roland Buresund and Andrew Main.

Empfohlen

Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Jarod Wang
 
David container security-with_falco
David container security-with_falcoDavid container security-with_falco
David container security-with_falcoLorenzo David
 
Multiply your Testing Effectiveness with Parameterized Testing, v1
Multiply your Testing Effectiveness with Parameterized Testing, v1Multiply your Testing Effectiveness with Parameterized Testing, v1
Multiply your Testing Effectiveness with Parameterized Testing, v1Brian Okken
 
Deploying Prometheus stacks with Juju
Deploying Prometheus stacks with JujuDeploying Prometheus stacks with Juju
Deploying Prometheus stacks with JujuJ.J. Ciarlante
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Brendan Gregg
 
Patching: answers to questions you probably were afraid to ask about oracle s...
Patching: answers to questions you probably were afraid to ask about oracle s...Patching: answers to questions you probably were afraid to ask about oracle s...
Patching: answers to questions you probably were afraid to ask about oracle s...DATA SECURITY SOLUTIONS
 
DiUS Computing Lca Rails Final
DiUS Computing Lca Rails FinalDiUS Computing Lca Rails Final
DiUS Computing Lca Rails FinalRobert Postill
 
Active Web Development
Active Web DevelopmentActive Web Development
Active Web DevelopmentDivya Manian
 

Empfohlen

Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Jarod Wang
 
David container security-with_falco
David container security-with_falcoDavid container security-with_falco
David container security-with_falcoLorenzo David
 
Multiply your Testing Effectiveness with Parameterized Testing, v1
Multiply your Testing Effectiveness with Parameterized Testing, v1Multiply your Testing Effectiveness with Parameterized Testing, v1
Multiply your Testing Effectiveness with Parameterized Testing, v1Brian Okken
 
Deploying Prometheus stacks with Juju
Deploying Prometheus stacks with JujuDeploying Prometheus stacks with Juju
Deploying Prometheus stacks with JujuJ.J. Ciarlante
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Brendan Gregg
 
Patching: answers to questions you probably were afraid to ask about oracle s...
Patching: answers to questions you probably were afraid to ask about oracle s...Patching: answers to questions you probably were afraid to ask about oracle s...
Patching: answers to questions you probably were afraid to ask about oracle s...DATA SECURITY SOLUTIONS
 
DiUS Computing Lca Rails Final
DiUS Computing Lca Rails FinalDiUS Computing Lca Rails Final
DiUS Computing Lca Rails FinalRobert Postill
 
Active Web Development
Active Web DevelopmentActive Web Development
Active Web DevelopmentDivya Manian
 
YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceBrendan Gregg
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesIO Visor Project
 
Tuning parallelcodeonsolaris005
Tuning parallelcodeonsolaris005Tuning parallelcodeonsolaris005
Tuning parallelcodeonsolaris005dflexer
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerunidsecconf
 
Performance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedPerformance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedBrendan Gregg
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Valeriy Kravchuk
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudAndrea Righi
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceSUSE Labs Taipei
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityBrendan Gregg
 
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFOSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFBrendan Gregg
 
LPC2019 BPF Tracing Tools
LPC2019 BPF Tracing ToolsLPC2019 BPF Tracing Tools
LPC2019 BPF Tracing ToolsBrendan Gregg
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPFAlex Maestretti
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernellcplcp1
 
Kernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixKernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixBrendan Gregg
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabTaeung Song
 
eBPF Workshop
eBPF WorkshopeBPF Workshop
eBPF WorkshopMichael Kehoe
 
Kernel development
Kernel developmentKernel development
Kernel developmentNuno Martins
 
Spying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profitSpying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profitAndrea Righi
 
Linux Performance Tools
Linux Performance ToolsLinux Performance Tools
Linux Performance ToolsBrendan Gregg
 
Linux or unix interview questions
Linux or unix interview questionsLinux or unix interview questions
Linux or unix interview questionsTeja Bheemanapally
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawnGábor Nyers
 

Weitere ähnliche Inhalte

Was ist angesagt?

YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceBrendan Gregg
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesIO Visor Project
 
Tuning parallelcodeonsolaris005
Tuning parallelcodeonsolaris005Tuning parallelcodeonsolaris005
Tuning parallelcodeonsolaris005dflexer
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerunidsecconf
 
Performance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedPerformance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedBrendan Gregg
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Valeriy Kravchuk
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudAndrea Righi
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceSUSE Labs Taipei
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityBrendan Gregg
 
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFOSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFBrendan Gregg
 
LPC2019 BPF Tracing Tools
LPC2019 BPF Tracing ToolsLPC2019 BPF Tracing Tools
LPC2019 BPF Tracing ToolsBrendan Gregg
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPFAlex Maestretti
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernellcplcp1
 
Kernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixKernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixBrendan Gregg
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabTaeung Song
 
Kernel development
Kernel developmentKernel development
Kernel developmentNuno Martins
 
Spying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profitSpying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profitAndrea Righi
 
Linux Performance Tools
Linux Performance ToolsLinux Performance Tools
Linux Performance ToolsBrendan Gregg
 

Was ist angesagt? (20)

YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems Performance
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
 
bcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challengesbcc/BPF tools - Strategy, current tools, future challenges
bcc/BPF tools - Strategy, current tools, future challenges
 
Tuning parallelcodeonsolaris005
Tuning parallelcodeonsolaris005Tuning parallelcodeonsolaris005
Tuning parallelcodeonsolaris005
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
 
Performance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedPerformance Wins with BPF: Getting Started
Performance Wins with BPF: Getting Started
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
 
LSFMM 2019 BPF Observability
LSFMM 2019 BPF ObservabilityLSFMM 2019 BPF Observability
LSFMM 2019 BPF Observability
 
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPFOSSNA 2017 Performance Analysis Superpowers with Linux BPF
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
 
LPC2019 BPF Tracing Tools
LPC2019 BPF Tracing ToolsLPC2019 BPF Tracing Tools
LPC2019 BPF Tracing Tools
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPF
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernel
 
Kernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixKernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at Netflix
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
 
eBPF Workshop
eBPF WorkshopeBPF Workshop
eBPF Workshop
 
Kernel development
Kernel developmentKernel development
Kernel development
 
Spying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profitSpying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profit
 
Linux Performance Tools
Linux Performance ToolsLinux Performance Tools
Linux Performance Tools
 

Ähnlich wie Linux Capabilities - eng - v2.1.5, compact

Linux or unix interview questions
Linux or unix interview questionsLinux or unix interview questions
Linux or unix interview questionsTeja Bheemanapally
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawnGábor Nyers
 
Linux basic commands
Linux basic commandsLinux basic commands
Linux basic commandsSagar Kumar
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing ToolsSysdig
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing ToolsBrendan Gregg
 
101 apend. scripting, crond, atd
101 apend. scripting, crond, atd101 apend. scripting, crond, atd
101 apend. scripting, crond, atdAcácio Oliveira
 
Docker 原理與實作
Docker 原理與實作Docker 原理與實作
Docker 原理與實作kao kuo-tung
 
Linux Common Command
Linux Common CommandLinux Common Command
Linux Common CommandJeff Yang
 
Basic linux commands for bioinformatics
Basic linux commands for bioinformaticsBasic linux commands for bioinformatics
Basic linux commands for bioinformaticsBonnie Ng
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Praguetomasbart
 
3.1.c apend scripting, crond, atd
3.1.c apend scripting, crond, atd3.1.c apend scripting, crond, atd
3.1.c apend scripting, crond, atdAcácio Oliveira
 
Introduction to Docker (as presented at December 2013 Global Hackathon)
Introduction to Docker (as presented at December 2013 Global Hackathon)Introduction to Docker (as presented at December 2013 Global Hackathon)
Introduction to Docker (as presented at December 2013 Global Hackathon)Jérôme Petazzoni
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...PROIDEA
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Vincent Batts
 
Linux Server Deep Dives (DrupalCon Amsterdam)
Linux Server Deep Dives (DrupalCon Amsterdam)Linux Server Deep Dives (DrupalCon Amsterdam)
Linux Server Deep Dives (DrupalCon Amsterdam)Amin Astaneh
 

Ähnlich wie Linux Capabilities - eng - v2.1.5, compact (20)

Linux or unix interview questions
Linux or unix interview questionsLinux or unix interview questions
Linux or unix interview questions
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
 
Linux basic commands
Linux basic commandsLinux basic commands
Linux basic commands
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing Tools
 
Designing Tracing Tools
Designing Tracing ToolsDesigning Tracing Tools
Designing Tracing Tools
 
101 apend. scripting, crond, atd
101 apend. scripting, crond, atd101 apend. scripting, crond, atd
101 apend. scripting, crond, atd
 
Docker 原理與實作
Docker 原理與實作Docker 原理與實作
Docker 原理與實作
 
Linux Common Command
Linux Common CommandLinux Common Command
Linux Common Command
 
Basic linux commands for bioinformatics
Basic linux commands for bioinformaticsBasic linux commands for bioinformatics
Basic linux commands for bioinformatics
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
3.1.c apend scripting, crond, atd
3.1.c apend scripting, crond, atd3.1.c apend scripting, crond, atd
3.1.c apend scripting, crond, atd
 
unixtoolbox
unixtoolboxunixtoolbox
unixtoolbox
 
Introduction to Docker (as presented at December 2013 Global Hackathon)
Introduction to Docker (as presented at December 2013 Global Hackathon)Introduction to Docker (as presented at December 2013 Global Hackathon)
Introduction to Docker (as presented at December 2013 Global Hackathon)
 
KCC_Final.pdf
KCC_Final.pdfKCC_Final.pdf
KCC_Final.pdf
 
Jana treek 4
Jana treek 4Jana treek 4
Jana treek 4
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
 
Linux Server Deep Dives (DrupalCon Amsterdam)
Linux Server Deep Dives (DrupalCon Amsterdam)Linux Server Deep Dives (DrupalCon Amsterdam)
Linux Server Deep Dives (DrupalCon Amsterdam)
 
Linux class 9 15 oct 2021-5
Linux class 9 15 oct 2021-5Linux class 9 15 oct 2021-5
Linux class 9 15 oct 2021-5
 

Kürzlich hochgeladen

5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 

Kürzlich hochgeladen (20)

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 

Linux Capabilities - eng - v2.1.5, compact

  • 1. Linux Capabilites Table of Contents Title Pages Title Pages Table of Contents 1 Extracting and... 4 Copyright Notice 1 System Configuration 2 LC: what they are... 3 Capability Assignment 10 The ping case 4 Distro Status 7 What LC for ping? 3 Issues? 2 Managing LCs 4 Aknowledgments 1 More examples 10
  • 2. CCooppyyrriigghhtt NNoottiiccee Presentation by: Alessandro Selli <alessandroselli@linux.com> Copyright © 2014 Alessandro Selli. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later one published by the Free Software Foundation, with the Invariant Section being the present slide (number 1), no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is available on-line or can be obtained from the author. Version 2.1.5, 2014/10/28
  • 3. Linux Capabilites: what they are and do 1-3 ● Started as an implementation of POSIX:  1003.1e (API), "Protection, Audit and Control Interfaces"  1003.2c (Shell and Utilities), "Protection and Control Interfaces" ● Sometimes called Linux POSIX Capabilities ● 1003.1e and 1003.2c were last revised in 1997 ● In 1999 they were set as withdrawn drafts ● Linux has thus gone it's own way
  • 4. Linux Capabilites: what they are and do 2-3 Advantages: ● They allow delegation of super-user rights to unprivileged processes, like suid bit ● They are recorded on the filesystem, like suid bit ● They do not work on a “everything or nothing” basis, unlike suid In short: ● they allow a process to do some selected things with root rights, while not anything else
  • 5. Linux Capabilites: what they are and do 3-3 Disadvantages: ● Commands need code to be made LC-conscious ● Some FS do not support LC (NFS v.3, though squashfs, tmpfs and f2fs now do): [root@debian ~]# getcap /mnt/nfs/nfsserver/dumpdates Failed to get capabilities of file `/mnt/nfs/nfsserver/dumpdates' (Operation not supported) [root@debian ~]# ● LCs are not dropped like SUID  The newer libcap-ng libs makes this easy
  • 6. TThhee ppiinngg ccaassee 11--44 ● A classic example: ping ● It needs superuser rights to send echo-request ICMP packets ● You surely do not want to let anyone be able to produce arbitrary ICMP packets! ● This is the traditional approach:
  • 7. TThhee ppiinngg ccaassee 22--44 Starting situation: [alessandro@ubuntu ~]$ lsb_release ­drc Description: Ubuntu 14.04.1 LTS Release: 14.04 Codename: trusty [alessandro@ubuntu ~]$ ll /bin/ping ­rwsr­xr­x 1 root root 44178 mag 7 23:51 /bin/ping [alessandro@ubuntu ~]$ ping ­c 3 route­add. net PING route­add. net (195.182.210.166) 56(84) bytes of data. 64 bytes from route­add. net (195.182.210.166): icmp_seq=1 ttl=55 time=46.8 ms 64 bytes from route­add. net (195.182.210.166): icmp_seq=2 ttl=55 time=46.6 ms 64 bytes from route­add. net (195.182.210.166): icmp_seq=3 ttl=55 time=45.5 ms ­­­route­add. net ping statistics ­­­3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 45.549/46.329/46.829/0.558 ms [alessandro@ubuntu ~]$
  • 8. TThhee ppiinngg ccaassee 33--44 ● According to standards, the process rights are those of the user who launched the exec Not of the owner of the executable file! ● Unless the suid bit is set, that is. ­rwsr­xr­x 1 root root 44178 mag 7 23:51 /bin/ping
  • 9. TThhee ppiinngg ccaassee 44--44 Let's “sabotage” ping: [root@ubuntu ~]# chmod u­s /bin/ping [root@ubuntu ~]# ll /bin/ping ­rwxr­xr­x 1 root root 44178 mag 7 23:51 /bin/ping [root@ubuntu ~]# The aftermath: [alessandro@ubuntu ~]$ ping ­c 3 route­add. net ping: icmp open socket: Operation not permitted [alessandro@ubuntu ~]$ If not otherwise stated, Ubuntu and Fedora it's the same.
  • 10. WWhhaatt LLCC ffoorr ppiinngg?? 11--33 ● We want both the power and the safety ● We want to be able to open ICMP sockets without assuming full root privileges! ● How do Linux Capabilities help us out? ● RTFM, of course! ➢ man capabilities(7) ➢ Most up-to-date list & info: linux/include/uapi/linux/capability.h
  • 11. WWhhaatt LLCC ffoorr ppiinngg?? 22--33 We get many capabilities to choose from: AUDIT_CONTROL AUDIT_WRITE BLOCK_SUSPEND CHOWN DAC_OVERRIDE DAC_READ_SEARCHC AP_LEASE FOWNER FSETID IPC_LOCK IPC_OWNER KILL LEASE LINUX_IMMUTABLE MAC_ADMIN MAC_OVERRIDE MKNOD NET_ADMIN NET_BIND_SERVICE This is what we need now NET_RAW SETGID SETFCAP SETPCAP SETUID SYS_ADMIN SYS_BOOT SYS_CHROOT SYS_MODULE SYS_NICE SYS_PACCT SYS_PTRACE SYS_RAWIO SYS_RESOURCE SYS_TIME SYS_TTY_CONFIG SYSLOG WAKE_ALARM
  • 12. WWhhaatt LLCC ffoorr ppiinngg?? 22--33 We get many capabilities to choose from: AUDIT_CONTROL AUDIT_WRITE BLOCK_SUSPEND CHOWN DAC_OVERRIDE DAC_READ_SEARCHC AP_LEASE Leading CAP_ omitted everywhere FOWNER FSETID IPC_LOCK IPC_OWNER KILL LEASE LINUX_IMMUTABLE MAC_ADMIN MAC_OVERRIDE MKNOD NET_ADMIN NET_BIND_SERVICE This is what we need now NET_RAW SETGID SETFCAP SETPCAP SETUID SYS_ADMIN SYS_BOOT SYS_CHROOT SYS_MODULE SYS_NICE SYS_PACCT SYS_PTRACE SYS_RAWIO SYS_RESOURCE SYS_TIME SYS_TTY_CONFIG SYSLOG WAKE_ALARM
  • 13. WWhhaatt LLCC ffoorr ppiinngg?? 33--33 Man page says: CAP_NET_RAW * use RAW and PACKET sockets; * bind to any address for transparent proxying. Sounds like what we need. How shall we apply it?
  • 14. MMaannaaggiinngg LLCCss 11--44 Capabilities can be handled whith commands: ➢ getcap, display file capabilities ➢ setcap, set file capabilities ➢ getpcaps, display process capabilities ➢ capsh, capability shell wrapper Each capability can have these sets associated: ➢ p, process is permitted the capability ➢ e, capability is marked as effective ➢ i, capability is inherited after an execve()
  • 15. MMaannaaggiinngg LLCCss 11--44 Capabilities can be handled whith commands: ➢ getcap, display file capabilities ➢ setcap, set file capabilities ➢ getpcaps, display process capabilities ➢ capsh, capability shell wrapper Each capability can have these sets associated: ➢ p, process is permitted the capability ➢ e, capability is marked as effective ➢ i, capability is inherited after an execve() This has become a bit
  • 16. MMaannaaggiinngg LLCCss 22--44 Let's start using them: [root@ubuntu ~]# chmod u­s /bin/ping [root@ubuntu ~]# ll /bin/ping ­rwxr­xr­x 1 root root 44168 mag 7 23:51 /bin/ping* [root@ubuntu ~]# getcap /bin/ping [root@ubuntu ~]# setcap CAP_NET_RAW=ep /bin/ping Case sensitive! Case-insensitive
  • 17. MMaannaaggiinngg LLCCss 22--44 Let's start using them: [root@ubuntu ~]# chmod u­s /bin/ping [root@ubuntu ~]# ll /bin/ping ­rwxr­xr­x 1 root root 44168 mag 7 23:51 /bin/ping* [root@ubuntu ~]# getcap /bin/ping [root@ubuntu ~]# setcap CAP_NET_RAW=ep /bin/ping [root@ubuntu ~]# getcap /bin/ping /bin/ping = cap_net_raw+ep [root@ubuntu ~]# Can use this notation with setcap, too
  • 18. MMaannaaggiinngg LLCCss 33--44 Does it work? [alessandro@ubuntu ~]$ ping ­c 3 route­add. net PING route­add. net (195.182.210.166) 56(84) bytes of data. 64 bytes from route­add. net (195.182.210.166): icmp_seq=1 ttl=55 time=30.7 ms 64 bytes from route­add. net (195.182.210.166): icmp_seq=2 ttl=55 time=30.9 ms 64 bytes from route­add. net (195.182.210.166): icmp_seq=3 ttl=55 time=31.3 ms ­­­route­add. net ping statistics ­­­3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 30.709/30.988/31.350/0.304 ms [alessandro@ubuntu ~]$
  • 19. MMaannaaggiinngg LLCCss 44--44 Just a note: ping capabilities in Fedora 20: [root@fedora ~]# getcap /bin/ping /bin/ping = cap_net_admin,cap_net_raw+ep [root@fedora ~]# CAP_NET_ADMIN is for packet tagging: [alessandro@fedora ~]$ ping ­c1 ­m 123 route­add. net PING route­add. net (195.182.210.166) 56(84) bytes of data. Warning: Failed to set mark 123 64 bytes from route­add. net (195.182.210.166): icmp_seq=1 ttl=53 time=45.8 ms ­­­route­add. net ping statistics ­­­1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 45.802/45.802/45.802/0.000 ms [alessandro@fedora ~]$
  • 20. MMoorree eexxaammpplleess 11--1111 Everyone knows of extended POSIX attributes, right? RRiigghhtt?? If you don't, you ought to. ● LC are useful, even necessary to make use of EPA.
  • 21. MMoorree eexxaammpplleess 22--1111 EPAs let you, among the rest, set files that: ­a: can only have data be appended to ­i: are immutable (cannot overwrite or erase) ­S: do synchronous writes on the media ­D: synchronous writes on directories ... (there can be up to 19) Figuring out what filesystem supports which EPA and with not is a matter of guesswork...
  • 22. MMoorree eexxaammpplleess 33--1111 There is one catch, though: ● chattr does not work for ordinary users: [alessandro@fedora ~]$ chattr +i .bashrc chattr: Operation not permitted while setting flags on .bashrc [alessandro@fedora ~]$
  • 23. MMoorree eexxaammpplleess 44--1111 Classical UNIX solution is to make it SUID root: [root@fedora ~]# ll /usr/bin/chattr ­rwxr­xr­x 1 root root 10528 giu 24 13:10 /usr/bin/chattr [root@fedora ~]# chmod u+s /usr/bin/chattr [root@fedora ~]# ll /usr/bin/chattr ­rwsr­xr­x 1 root root 10528 giu 24 13:10 /usr/bin/chattr [root@fedora ~]# It would work: [alessandro@fedora ~]$ chattr +i .bashrc [alessandro@fedora ~]$ lsattr .bashrc ­­­­i­­­­­­­­e­­. bashrc [alessandro@fedora ~]$
  • 24. MMoorree eexxaammpplleess 55--1111 But... [alessandro@fedora ~]$ lsattr ~games/.profile ­­­­­­­­­­­­­e­­/ opt/games/.profile [alessandro@fedora ~]$ chattr +i ~games/.profile [alessandro@fedora ~]$ lsattr ~games/.profile ­­­­i­­­­­­­­e­­/ usr/games/.profile [alessandro@fedora ~]$ Which is normal for superuser rights. We definitely do not want this to happen.
  • 25. MMoorree eexxaammpplleess 66--1111 This is the right way to do it: [root@fedora ~]# chmod u­s /bin/chattr [root@fedora ~]# ll /bin/chattr ­rwxr­xr­x 1 root root 10736 Aug 3 11:36 /bin/chattr [root@fedora ~]# setcap CAP_LINUX_IMMUTABLE=ep /bin/chattr [root@fedora ~]# getcap /bin/chattr /bin/chattr = cap_linux_immutable+ep [root@fedora ~]#
  • 26. MMoorree eexxaammpplleess 77--1111 Which causes the right things to happen: [alessandro@fedora ~]$ lsattr .bashrc ­­­­­­­­­­­­­e­­. bashrc [alessandro@fedora ~]$ chattr +i .bashrc [alessandro@fedora ~]$ lsattr .bashrc ­­­­i­­­­­­­­e­­. bashrc [alessandro@fedora ~]$ chattr +i ~games/.profile chattr: Permission denied while setting flags on /usr/games/.profile [alessandro@fedora ~]$
  • 27. "I'm sorry Dave, I'm afraid I can't do that".
  • 28. MMoorree eexxaammpplleess 88--1111 ●DAC = Discretionary Access Control ● It's the classic Unix “who gets to do what” decision mechanism ● In the filesystem it shows as the rwx file rights ● Linux Capabilities can mess them up as well! :-)
  • 29. MMoorree eexxaammpplleess 99--1111 Let's beep the beeper! (In an xterm) [alessandro@fedora ~]$ beep ­f 2000 ­l 100 Could not open /dev/tty0 or /dev/vc/0 for writing open: No such file or directory [alessandro@fedora ~]$ Man page says: By default beep is not installed with the suid bit set, because that would just be zany. On the other hand, if you do make it suid root, all your problems with beep bailing on ioctl calls will magically vanish, which is pleasant, and the only reason not to is that any suid program is a potential security hole. Conveniently, beep is very short, so auditing it is pretty straightforward.
  • 30. MMoorree eexxaammpplleess 1100--1111 Let's try using LC instead. The error we got was: Could not open /dev/tty0 or /dev/vc/0 for writing That is, it's a DAC issue. [root@fedora ~]# setcap CAP_DAC_OVERRIDE=pe /bin/beep [root@fedora ~]# [alessandro@fedora ~]$ beep ­f 2000 ­l 100 ioctl: Operation not permitted ioctl: Operation not permitted [alessandro@fedora ~]$ CAP_SYS_TTY_CONFIG Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals. From beep(1):
  • 31. MMoorree eexxaammpplleess 1100--1111 Both capabilities together: [root@fedora ~]# setcap > CAP_DAC_OVERRIDE,CAP_SYS_TTY_CONFIG=pe /bin/beep [root@fedora ~]# [alessandro@fedora ~]$ beep ­f 2000 ­l 100 [alessandro@fedora ~]$
  • 32. "All right Dave, I think I figured out a way to do that"
  • 33. Extracting and Decoding LC info 1-4 What LCs are active now? [root@ubuntu ~]# cp /bin/bash /tmp/ [root@ubuntu ~]# setcap CAP_KILL,CAP_DAC_OVERRIDE+epi /tmp/bash [root@ubuntu ~]# getcap /tmp/bash /tmp/bash = cap_dac_override,cap_kill+eip [root@ubuntu ~]# Inheritance is set [alessandro@ubuntu ~]$ /tmp/bash ­l [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `15400': = cap_dac_override,cap_kill+ep [alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000022 CapEff: 0000000000000022 CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$ Inheritance is missing!
  • 34. Extracting and Decoding LC info 2-4 Decoding Hex LC bitmap: [alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000022 CapEff: 0000000000000022 CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$ capsh ­­decode= 0000000000000000 0x0000000000000000= [alessandro@ubuntu ~]$ capsh ­­decode= 0000000000000022 0x0000000000000022=cap_dac_override,cap_kill [alessandro@ubuntu ~]$ Still represented as a set
  • 35. Extracting and Decoding LC info 3-4 0000001fffffffff = Capability Bounding Set 1 = allowable cap (kept if present) 0 = masked cap (or no LC associated to bit) Bits are mapped one-to-one to a LC 0000001fffffffff is a 64-bit mask ● It's been a 64 bit mask since libcap vers. 2.03 ● Before it was 32-bit
  • 36. Extracting and Decoding LC info 4-4 Number of bit-mapped capabilities is consistent with zero-based value stored in /proc/sys/kernel/cap_last_cap Kernel 3.14.19:1fffffffff → 1+9*4=37 /proc/sys/kernel/cap_last_cap = 36 Kernel 3.16.3: 3fffffffff → 2+9*4=38 /proc/sys/kernel/cap_last_cap = 37
  • 37. SSyysstteemm CCoonnffiigguurraattiioonn 11--22 capability.conf1: users who inherit LCs [root@ubuntu ~]# cat /etc/security/capability.conf cap_kill alessandro none * [root@ubuntu ~]# Changes are effective after a new login: Ubuntu 14.04.1 LTS ubuntu tty1 If missing all users get all available capabilities! CAP_KILL is now inherited ubuntu login: alessandro Password: [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `8586': = cap_kill+i [alessandro@ubuntu ~]$
  • 38. SSyysstteemm CCoonnffiigguurraattiioonn 22--22 Child process of new shell now does inherit LCs: [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `16332': = cap_kill+i [alessandro@ubuntu ~]$ getcap /tmp/bash /tmp/bash = cap_dac_override,cap_kill+eip [alessandro@ubuntu ~]$ /tmp/bash ­l [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `16849': = cap_kill+eip cap_dac_override+ep [alessandro@ubuntu ~]$ Cap is in config file Cap is not in config file 1) Ubuntu package libpam-cap is required. Fedora has package libcap, but this setup does not work (PAM failure: System error)
  • 39. Capability aassssiiggnnmmeenntt 11--1100 2.2.11 2.6.25 optional 2.6.33 built-in System-wide bounding-set Per-thread bounding-set ● Before 2.6.25 Bounding Set was system-wide ● Beginning 2.6.25 it's per-thread ● Can be dropped by process with CAP_SETPCAP via prctl(2) PR_CAPBSET_DROP operation ● Inherited at fork(2), preserved on execve(2) ● Optional until 2.6.33, then built-in
  • 40. Capability aassssiiggnnmmeenntt 22--1100 N New P Previous F Capab. set to the File e Effective capability p Permitted capability i Inherited capability CBS Capability Bounding Set1 New capabilities used to be computed this way: Np (Pi∪Fi)∩(Fp∪CBS) Ne Fe∪Np Ni Pi 1) Mask of permitted capabilities retained after an execve(2). No effect on inherited caps. From kernel 2.6.25, limits inherited capabilities that can be added to self even if they are permitted.
  • 41. Capability aassssiiggnnmmeenntt 33--1100 N New P Previous F Capab. set to the File e Effective capability p Permitted capability i Inherited capability CBS Capability Bounding Set1 Now they are computed this way: Np (Pi∪Fi)∩(Fp∪CBS) Ne Fe ? Np : 02 Ni Pi 2) Not and AND any more, because Effective set is a bit, no longer a set (one bit per capability) as it used to be.
  • 42. Capability aassssiiggnnmmeenntt 44--1100 What does the Capability Bounding Set do? 1) On an execve(2), it ANDs out thread's permitted caps from file's permitted caps. 2) Limits thread's inheritable caps that can be added with a capset(2) (kernel >= 2.6.25). a)Filtered capability can still be permitted b)Inheritable cap can still be set if it's in file's inheritable set.
  • 43. Capability aassssiiggnnmmeenntt 55--1100 Possibile security risk: undesired permitted caps. Consider the situation: 1) Parent process has CAP_X Inh, not in CBS 2) CAP_X cannot be in Perm set a) But it is retained in Inh set by children 3) Process can still exec child with CAP_X in both Perm and Inh sets! Dropping CBS can instill a false sense of security! Alone it's not sufficient!
  • 44. Capability aassssiiggnnmmeenntt 66--1100 Like SUID, shell scripts' LC are not honored: [alessandro@ubuntu ~]$ cat ~/bin/test_cap.sh #!/bin/dash getpcaps $$ grep ^Cap /proc/$$/status [alessandro@ubuntu ~]$ getcap ~/bin/test_cap.sh /home/alessandro/bin/test_cap.sh = cap_linux_immutable+ep [alessandro@ubuntu ~]$ test_cap.sh Capabilities for `9093': = Not honored CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 Not honored CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$
  • 45. Capability aassssiiggnnmmeenntt 77--1100 Only binary executables' LC are honored: [alessandro@ubuntu ~]$ cat ~/bin/test2_cap.sh #!/tmp/dash getpcaps $$ grep ^Cap /proc/$$/status [alessandro@ubuntu ~]$ getcap ~/bin/test2_cap.sh /tmp/dash /tmp/dash = cap_linux_immutable+ep [alessandro@ubuntu ~]$ test2_cap.sh Capabilities for `9218': = cap_linux_immutable+ep CapInh: 0000000000000000 CapPrm: 0000000000000200 CapEff: 0000000000000200 Now honored Now honored CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$
  • 46. Capability aassssiiggnnmmeenntt 88--1100 Command capsh can reduce shell CBS: [alessandro@ubuntu ~]$ getcap $(which capsh) /sbin/capsh = cap_setpcap+p [alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000001fffffffff [alessandro@ubuntu ~]$ capsh ­­drop= cap_net_raw ­­[ alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000001fffffdfff [alessandro@ubuntu ~]$
  • 47. Capability aassssiiggnnmmeenntt 99--1100 CBS reduction with capsh. Initial state: [alessandro@ubuntu ~]$ getcap $(which capsh ping) /sbin/capsh = cap_setpcap+p /bin/ping = cap_net_raw+p [alessandro@ubuntu ~]$ getpcaps $$ Capabilities for `7842': = [alessandro@ubuntu ~]$ ping ­qc1 route­add. net PING route­add. net (195.182.210.166) 56(84) bytes of data. ­­­route­add. net ping statistics ­­­1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 27.718/27.718/27.718/0.000 ms [alessandro@ubuntu ~]$
  • 48. CCaappaabbiilliittyy aassssiiggnnmmeenntt 1100--1100 Running new shell with lowered CBS via capsh: [alessandro@ubuntu ~]$ capsh ­­drop= cap_net_raw ­­[ alessandro@ubuntu ~]$ grep ^Cap /proc/$$/status CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 0000001fffffdfff [alessandro@ubuntu ~]$ capsh ­­decode= 2000 0x0000000000002000=cap_net_raw [alessandro@ubuntu ~]$ ping ­qc1 route­add. net ping: icmp open socket: Operation not permitted [alessandro@ubuntu ~]$
  • 49. DDiissttrroo ssttaattuuss 11--77 The plan is to replace as many SUID/SGID executables with capabilities as possible: ● Fedora: Last update: 2011-04-05, completion: 100% (many, but not all, SUID taken off) ● Ubuntu: WIP (Last update: 2011-09-27) Not everything SUID could be ported to Linux Capabilities (yet)
  • 50. DDiissttrroo ssttaattuuss 22--77 Fedora 20 (Heisenbug): a couple dozen suid files (in a non-standard LXDE install) # find / ­xdev ­type f ­perm /111 ­perm /4000 ­user root | wc ­l 23 # /usr/sbin/mount.nfs /usr/bin/mount /usr/bin/chsh /usr/bin/write /usr/bin/fusermount /usr/bin/umount /usr/bin/chage /usr/bin/passwd /usr/bin/newgrp /usr/bin/locate /usr/bin/su /usr/bin/sudo /usr/bin/gpasswd /usr/bin/cgexec /usr/bin/chfn /usr/bin/Xorg /usr/bin/ssh­agent /usr/bin/crontab /usr/bin/at /usr/bin/ksu /usr/sbin/postqueue /usr/sbin/postdrop /usr/sbin/ssmtp /usr/bin/pkexec
  • 51. DDiissttrroo ssttaattuuss 33--77 Ubuntu 14.04.1 (Trusty Tahr): a few more (also in a non-standard, XFCE install) # find / /usr ­xdev ­type f ­perm /111 ­perm /4000 ­user root | wc ­l 29 # They used to be 34 in 13.10 (Saucy Salamander)
  • 52. DDiissttrroo ssttaattuuss 44--77 Let's see one case where LC do not work: [alessandro@fedora ~]$ ll /usr/bin/at ­rwsr­xr­x 1 root root 53208 5 dic 12.34 /usr/bin/at [alessandro@fedora ~]$ getcap /usr/bin/at [alessandro@fedora ~]$ Let's strip off the SUID bit and any cap: [root@fedora ~]# chmod u­s /usr/bin/at [root@fedora ~]# setcap ­r /usr/bin/at [root@fedora ~]# [alessandro@fedora ~]$ at ­f ~/bin/at.sh now+5min cannot set egid: Operation not permitted [alessandro@fedora ~]$
  • 53. DDiissttrroo ssttaattuuss 55--77 Let's try to make it happy: [root@fedora ~]# setcap CAP_SETGID+ep /usr/bin/at [root@fedora ~]# No joy: [alessandro@fedora ~]$ at ­f ~/bin/at.sh now+5min cannot set euid: Operation not permitted [alessandro@fedora ~]$ [root@fedora ~]# setcap CAP_SETUID,CAP_SETGID+ep /usr/bin/at [root@fedora ~]# [alessandro@fedora ~]$ at ­f ~/bin/at.sh now+5min PAM failure: System error [alessandro@fedora ~]$ :­(
  • 54. DDiissttrroo ssttaattuuss 66--77 Log says: [alessandro@fedora ~]$ tail ­1 /var/log/secure Feb 23 10:08:43 fedora at: PAM audit_log_acct_message() failed: Operation not permitted [alessandro@fedora ~]$ Game over, for now.
  • 55. DDiissttrroo ssttaattuuss 77--77 Ubuntu has taken a different approach: ● it uses the same at/atd implementation (by Thomas Koenig, ig25@rz.uni-karlsruhe.de) ● it runs the daemon as user daemon ● the client command is SUID and SGUI daemon:daemon, allowing it to:  write into /var/spool/cron/atjobs/.SEQ  send atd signals Old school, simple, effective, safe.
  • 56. IIssssuueess?? 11--22 «Why are not more people aware of and using capabilities? I believe that poor documentation is the primary reason. For example, Fedora 10 is missing the man pages for getpcaps, capsh and pam_cap, and the Fedora Security Guide does not even mention capabilities» (Finnbarr P. Murphy, May 28th, 2009 ) Every bit as true today!
  • 57. IIssssuueess?? 22--22 ●Online distro docs stopped years ago ● Fedora Security Guide in same condition in 19.1, and is absent in 20 documentation ➢ At least man pages are there ➢ SELinux only future? ● Behaviour of LC changing over time ➢ Same commands, capabilities and sets yield different result from 2.6.24 with no errors ● libcap-ng should make programming easier
  • 58. AAkknnoowwlleeddggmmeennttss 11--11 ● The Linux man-pages Project people ( https://www.kernel.org/doc/man-pages/) ● Finnbarr P. Murphy (blog post and references, useful though outdated) ● And kernel developers, of course!  Andrew G. Morgan <morgan@kernel.org>  Alexander Kjeldaas <astor@guardian.no> with help from Aleph1, Roland Buresund and Andrew Main.