Skip to content

Instantly share code, notes, and snippets.

@haxxinen

haxxinen/linux_capabilities.md

Created February 10, 2020 21:32
Show Gist options
  • Save haxxinen/279e8711dfd6d21c08ae47ebd7102ea2 to your computer and use it in GitHub Desktop.
Save haxxinen/279e8711dfd6d21c08ae47ebd7102ea2 to your computer and use it in GitHub Desktop.
Download ZIP
Linux Capabilities - Permissions
Raw
linux_capabilities.md

info

  • even root can be privileged and unprivileged
  • super-user does not always imply root (uid == 0)
  • can run a process as root w/o any capabilities (and the other way around)
  • process capabilities have been around for a while (file capabilities is something more recent)
  • capabilities are enabled by default in all modern Linux distros (nobody uses them :D - "but the man in the box does...")
    • management tools installed by default
  • it's really easy to lose file capabilities when moving files around the system (bugs, bugs, bugs...)

installing

# apt-get install libcap2-bin -yqq

the binaries

# /sbin/capsh
# /sbin/getpcaps
# /sbin/getcap
# /sbin/setcap

what can we do to improve security

  • reduce privileges on a setuid-root files
  • run services as non root (uid != 0)
  • run services as root (uid == 0), but minimum super-user privileges
  • allow access to files for specific admin/process only (must have correct uid)
  • configure a file to run with privileges but at the same time not run by root

ping case-study

let's move ping around

$ ls -la /bin/ping
-rwsr-xr-x 1 root root 61240 [NOLOGSNOCRIME] /bin/ping
$ cp /bin/ping /tmp/
$ ls -la /tmp/ping
-rwxr-xr-x 1 userx userx 61240 [NOLOGSNOCRIME] /tmp/ping

if we use it...

$ /tmp/ping -c1 1.1.1.1
ping: socket: Operation not permitted

adjusting file capabilities

$ sudo /sbin/setcap cap_net_raw=ep /tmp/ping
$ /tmp/ping -c1 1.1.1.1 | grep received
1 packets transmitted, 1 received, 0% packet loss, time 0ms 
$ /sbin/getcap /tmp/ping
/tmp/ping = cap_net_raw+ep

to revert file capabilities

# sudo /sbin/setcap -r /tmp/ping

preserve file capabilities

$ sudo cp /tmp/ping /opt
$ ls -la /opt/ping
-rwxr-xr-x 1 root root 61240 [NOLOGSNOCRIME] /opt/ping
$ /sbin/getcap /opt/ping
[lost capabilities]

$ sudo cp --preserve=all /tmp/ping /opt
$ /sbin/getcap /opt/ping
/opt/ping = cap_net_raw+ep

to drop capabilities

$ /sbin/capsh --drop=cap_net_raw+ep -- -c "/bin/ping -c 1 1.1.1.1"
unable to raise CAP_SETPCAP for BSET changes: Operation not permitted

to gain capabilities

$ sudo /sbin/capsh --caps=cap_net_raw+ep -- -c "/tmp/ping -c1 1.1.1.1" | grep received
1 packets transmitted, 1 received, 0% packet loss, time 0ms

case study cap_dac_read_search

$ capsh --print | head -n1
Current: = cap_dac_read_search+i
$ 

/sbin/capsh --caps=cap_dac_read_search+i --addamb=cap_dac_read_search+i -- -c "cat /var/log/auth.log"

/sbin/capsh --caps=cap_dac_read_search --addamb=cap_dac_read_search -- -c "cat /var/log/auth.log"

references

https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/
http://man7.org/linux/man-pages/man3/cap_from_text.3.html
http://man7.org/linux/man-pages/man1/capsh.1.html
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment