Capabilities

Capabilities (POSIX 1003.1e, capabilities(7)) provide fine-grained control over superuser permissions, allowing use of the root user to be avoided. Software developers are encouraged to replace uses of the powerful setuid attribute in a system binary with a more minimal set of capabilities. Many packages make use of capabilities, such as CAP_NET_RAW being used for fping. This enables fping to be run by a normal user (as with the setuid method), while at the same time limiting the security consequences of a potential vulnerability in fping.

Implementation

Capabilities are implemented on Linux using extended attributes (xattr(7)) in the security namespace. Extended attributes are supported by all major Linux file systems, including Ext2, Ext3, Ext4, Btrfs, JFS, XFS, and Reiserfs. The following example prints the capabilities of fping with getcap, and then prints the same data in its encoded form using getfattr:

$ getcap /usr/bin/fping
/usr/bin/fping cap_net_raw=ep
$ getfattr -d -m "^security\\." /usr/bin/fping
# file: usr/bin/fping
security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA=

Extended attributes are copied automatically by cp -a, but some other programs require a special flag: .

Capabilities are set by package install scripts on Arch (e.g. fping.install).

Administration and maintenance

It is considered a bug if a package has overly permissive capabilities, so these cases should be reported rather than listed here. A capability essentially equivalent to root access () or trivially allowing root access () does not count as a bug since Arch does not support any MAC/RBAC systems.

Other programs that benefit from capabilities

The following packages do not have files with the setuid attribute but require root privileges to work. By enabling some capabilities, regular users can use the program without privilege elevation.

The +ep behind the capability means "effective permitted", more information can be found at .

beep

 
# setcap cap_dac_override,cap_sys_tty_config+ep /usr/bin/beep

chvt

 
# setcap cap_dac_read_search,cap_sys_tty_config+ep /usr/bin/chvt

iftop

 
# setcap cap_net_raw+ep /usr/bin/iftop

mii-tool

 
# setcap cap_net_admin+ep /usr/bin/mii-tool

mtr

 
# setcap cap_net_raw+ep /usr/bin/mtr-packet

nethogs

 
# setcap cap_net_admin,cap_net_raw+ep /usr/bin/nethogs

wavemon

 
# setcap cap_net_admin+ep /usr/bin/wavemon

Useful commands

Find setuid-root files:

$ find /usr/bin /usr/lib -perm /4000 -user root

Find setgid-root files:

$ find /usr/bin /usr/lib -perm /2000 -group root

Running a program with temporary capabilities

Using it is possible to run a program with some specific capabilities without modifying the extended attributes of the binary. The following example shows how to attach to a process using GDB using the capability:

$ sudo -E capsh --caps="cap_setpcap,cap_setuid,cap_setgid+ep cap_sys_ptrace+eip" --keep=1 --user="$USER" --addamb="cap_sys_ptrace" --shell=/usr/bin/gdb -- -p <pid>

An example of binding to a low port using netcat:

$ sudo -E capsh --caps="cap_setpcap,cap_setuid,cap_setgid+ep cap_net_bind_service+eip" --keep=1 --user="$USER" --addamb="cap_net_bind_service" --shell=/usr/bin/nc -- -lvtn 123
Listening on 0.0.0.0 123
gollark: But presumably <@336962240848855040> means DNS servers for users, not authoritative DNS.
gollark: I assumed most people used dedicated providers for that nowadays.
gollark: Person #1281490129491 after they buy inadequate laser safety goggles.
gollark: All other interpretations are class-ΞΆ heresy.
gollark: They are part of the weekend. They occur at the end of the week. After the end of the week, it is a new week, and also Monday.

See also
This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.