IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [capabilities]

A capability is a set of access rights granted to a subject, often transferable. Capabilities are a method for access control.

Capabilities are tokens that represent a set of access rights given to a principal in a system. The possession of a capability indicates that the principal has is authorized to make the access that the capability indicates. An example of a capability is “this process may access the file F”.

A dual approach to capabilities is access control lists, where the object contains the list of principals that may access it.

See also .

23 questions
2
votes
1 answer

What additional protection does seccomp provide when compared to capabilites?

From this answer I understand that seccomp-bpf filters the list of syscalls a process can call. Similarly, the capabilites mechanism will cause a syscall to fail if the caller does not have the capability necessary for that syscall. What I want to…
inorik
  • 197
  • 5
2
votes
0 answers

attach with gdb after dropping privileges

Under Ubuntu 16.04 LTS, I cannot seem to debug a once-privileged process for love or money as an unprivileged user. The file is setgid (mode 2755). It forks, and the child: releases its capabilities calls setgid(getgid()) Yet, gdb cannot…
James K. Lowden
  • 121
  • 2
2
votes
2 answers

Making a file immutable (against kernel exploits)

I'd like to know how to make files completely immutable. "Completely" refers in this case to: immutable while the system is running. I could live with something like physical access where someone e.g uses a live cd to change the immutable files on a…
rover01
  • 21
  • 1
1
vote
1 answer

How to keep data in eBPF maps secure

I have read that there are some capabilities that are broken out of CAP_SYS_ADMIN specifically CAP_BPF, CAP_NET_ADMIN, CAP_PERFMON etc. I also read that data structures called maps are used to store data and that other eBPF programs can read data in…
Flint_security
  • 11
  • 1
1
vote
1 answer

Use of S/MIME capabilities attribute

If you examine an S/MIME-signed file with $ openssl cms -in file.sgn -noout -cmsout -print you see that S/MIME capabilities are also included in the signature: ... object: S/MIME Capabilities (1.2.840.113549.1.9.15) value.set: …
user1511417
  • 617
  • 5
  • 20
0
votes
1 answer

Capabilities DROP in container of Kubernetes pod running with specific UID

I am doing some security research on Kubernetes and I found something still mysterious to me, concerning capabilities. Example of simple pod: apiVersion: v1 kind: Pod metadata: name: my-pod-httpd spec: containers: - name: my-pod-httpd-c1 …
cactuschibre
  • 155
  • 9
0
votes
0 answers

Playing with cap_dac_read_search, but still unable to read /etc/shadow

I'm playing around with capsh and cap_dac_read_search capability, on a Ubuntu 20.04 machine (kernel version 5.4.0) In theory the nobody user can read /etc/shadow if I gave cap_dac_read_search capability to the cat process, but it didn't work: #…
daisy
  • 1,735
  • 3
  • 25
  • 39
-1
votes
1 answer

Are IPv4 more intuitively hard to track than IPv6?

I understand that it is easier for a human to intuitively figure out the alleged whereabouts of a machine if that machin's IP address is IPv6, rather than if its IPv4: For example, since I configured my smartphone Access Point Name (APN) of the type…
user123574
1
2