Difference between revisions of "Capabilities"

From ArchWiki
Jump to navigation Jump to search
(Added section "Other programs that benefit from capabilities")
 
(51 intermediate revisions by 21 users not shown)
Line 1: Line 1:
{{stub}}
+
[[Category:Security]]
The intention of this article is to remove the setuid attribute in the binaries that require certain root-privileges.
+
[[ja:ケイパビリティ]]
In this way, it eliminates the need for "all or nothing", using a fine grained control with POSIX 1003.1e capabilities.
+
[[zh-hans:Capabilities]]
 +
Capabilities (POSIX 1003.1e, {{man|7|capabilities}}) provide fine-grained control over superuser permissions, allowing use of the root user to be avoided. Software developers are encouraged to replace uses of the powerful [[wikipedia:Setuid|setuid]] attribute in a system binary with a more minimal set of capabilities. Many packages make use of capabilities, such as {{ic|CAP_NET_RAW}} being used for the {{ic|ping}} binary provided by {{pkg|iputils}}. This enables e.g. {{ic|ping}} to be run by a normal user (as with the '''setuid''' method), while at the same time limiting the security consequences of a potential vulnerability in {{ic|ping}}.
  
'''Use with caution, some programs do not know about file capabilities. It apparently works correctly, but have some unexpected side effects (see for example [[#util-linux-ng]])'''
+
== Implementation ==
  
==Prerequisites==
+
Capabilities are implemented on Linux using [[extended attributes]] ({{man|7|xattr}}) in the ''security'' namespace. Extended attributes are supported by all major Linux [[file systems]], including Ext2, Ext3, Ext4, Btrfs, JFS, XFS, and Reiserfs. The following example prints the capabilities of ping with {{ic|getcap}}, and then prints the same data in its encoded form using {{ic|getfattr}}:
You need libcap, for setting file capabalities that are extended attributes, with the utility setcap.
 
# pacman -S libcap
 
  
==Setuid-root files by repo==
+
{{hc|$ getcap /usr/bin/ping|2=
 +
/usr/bin/ping = cap_net_raw+ep
 +
}}
  
===[core]===
+
{{hc|$ getfattr -d -m "^security\\." /usr/bin/ping|2=
 +
# file: usr/bin/ping
 +
security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA=
 +
}}
  
====coreutils====
+
Extended attributes are copied automatically by {{ic|cp -a}}, but some other programs require a special flag: {{ic|rsync -X}}.
  
{{Note|Warning: Do not use it, because su will return incorrect password.}}
+
Capabilities are set by package install scripts on Arch (e.g. {{ic|iputils.install}}).
  
# chmod u-s /bin/su
+
== Administration and maintenance ==
# setcap cap_setgid,cap_setuid+ep /bin/su
 
  
====glibc====
+
It is considered a bug if a package has overly permissive capabilities, so these cases should be reported rather than listed here. A capability essentially equivalent to root access ({{ic|CAP_SYS_ADMIN}}) or trivially allowing root access ({{ic|CAP_DAC_OVERRIDE}}) does not count as a bug since Arch does not support any [[Security#Mandatory access control|MAC/RBAC]] systems.
  
 +
{{Warning|Many capabilities enable trivial privilege escalation. For examples and explanations see Brad Spengler's post [http://forums.grsecurity.net/viewtopic.php?f=7&t=2522&sid=c6fbcf62fd5d3472562540a7e608ce4e#p10271 False Boundaries and Arbitrary Code Execution].}}
  
====heimdal====
+
== Other programs that benefit from capabilities ==
  
 +
The following packages do not have files with the setuid attribute but require root privileges to work. By enabling some capabilities, regular users can use the program without privilege elevation.
  
====inetutils====
+
=== beep ===
  
# chmod u-s /usr/bin/rsh
+
  # setcap cap_dac_override,cap_sys_tty_config+ep /usr/bin/beep
  # setcap cap_net_bind_service+ep /usr/bin/rsh
 
  
# chmod u-s /usr/bin/rcp
+
=== chvt ===
# setcap cap_net_bind_service+ep /usr/bin/rcp
 
  
# chmod u-s /usr/bin/rlogin
+
  # setcap cap_dac_read_search,cap_sys_tty_config+ep /usr/bin/chvt
  # setcap cap_net_bind_service+ep /usr/bin/rlogin
 
  
====iputils====
+
=== iftop ===
  
# chmod u-s /bin/ping
+
  # setcap cap_net_raw+ep /usr/bin/iftop
# setcap cap_net_raw+ep /bin/ping
 
 
 
# chmod u-s /bin/ping6
 
# setcap cap_net_raw+ep /bin/ping6
 
 
 
# chmod u-s /bin/traceroute
 
# setcap cap_net_raw+ep /bin/traceroute
 
 
 
# chmod u-s /bin/traceroute6
 
  # setcap cap_net_raw+ep /bin/traceroute6
 
 
 
====pam====
 
 
 
# chmod u-s /sbin/unix_chkpwd
 
# setcap cap_dac_read_search+ep /sbin/unix_chkpwd
 
 
 
====shadow====
 
 
 
# chmod u-s /usr/bin/chage
 
# setcap cap_dac_read_search+ep /usr/bin/chage
 
 
 
# chmod u-s /usr/bin/chfn
 
# setcap cap_chown,cap_setuid+ep /usr/bin/chfn
 
  
# chmod u-s /usr/bin/chsh
+
=== mii-tool ===
# setcap cap_chown,cap_setuid+ep /usr/bin/chsh
 
  
# chmod u-s /usr/bin/expiry
+
  # setcap cap_net_admin+ep /usr/bin/mii-tool
  # setcap cap_dac_override,cap_setgid+ep /usr/bin/expiry
 
  
# chmod u-s /usr/bin/gpasswd
+
=== mtr ===
# setcap cap_chown,cap_dac_override,cap_setuid+ep /usr/bin/gpasswd
 
  
# chmod u-s /usr/bin/newgrp
+
  # setcap cap_net_raw+ep /usr/bin/mtr-packet
  # setcap cap_dac_override,cap_setgid+ep /usr/bin/newgrp
 
  
# chmod u-s /usr/bin/passwd
+
=== nethogs ===
# setcap cap_chown,cap_dac_override,cap_fowner+ep /usr/bin/passwd
 
  
====sudo====
+
# setcap cap_net_admin,cap_net_raw+ep /usr/bin/nethogs
  
Sudo does not work without setuid.
+
== Useful commands ==
  
====util-linux-ng====
+
Find setuid-root files:
  
{{Note|Warning: Do not use it, because mount and umount can not do some checks, then users can mount/umount filesystems that do not have permission.}}
+
$ find /usr/bin /usr/lib -perm /4000 -user root
  
# chmod u-s /bin/mount
+
Find setgid-root files:
# setcap cap_dac_override,cap_sys_admin+ep /bin/mount
 
  
  # chmod u-s /bin/umount
+
  $ find /usr/bin /usr/lib -perm /2000 -group root
# setcap cap_dac_override,cap_sys_admin+ep /bin/umount
 
  
===[extra]===
+
== See also ==
  
====apache====
+
* Man pages: {{man|7|capabilities}}, {{man|8|setcap}}, {{man|8|getcap}}
 
+
* [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Capability_Names_and_Descriptions Grsecurity Appendix: Capability Names and Descriptions]
====cups====
+
* [https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt The Linux Kernel Archives: SECure COMPuting with filters]
 
 
====dcron====
 
 
 
# chmod u-s /usr/bin/crontab
 
# setcap cap_dac_override,cap_setgid+ep /usr/bin/crontab
 
 
 
====fuse====
 
 
 
====kdebase-workspace====
 
 
 
====pmount====
 
 
 
Does not work without setuid.
 
 
 
====schroot====
 
 
 
====screen====
 
 
 
Always needs setuid to perform some security checks. See screen(1) man page.
 
 
 
====xorg-xserver====
 
 
 
# chmod u-s /usr/bin/Xorg
 
# setcap cap_chown,cap_dac_override,cap_sys_rawio,cap_sys_admin+ep /usr/bin/Xorg
 
 
 
===[community]===
 
 
 
==Other programs that benefit from capabilities==
 
 
 
The following progrmas are not setuid, but do require root privileges to work. By enabling some capabilities regular users can use the program without privilege elevation.
 
 
 
===chvt===
 
 
 
# setcap cap_dac_read_search,cap_sys_tty_config+ep+ep /usr/bin/chvt
 
 
 
===iftop===
 
 
 
# setcap cap_net_raw+ep /usr/bin/iftop
 
 
 
==Useful commands==
 
Find setuid-root files
 
$ find /bin /sbin /lib /usr/bin /usr/sbin /usr/lib -perm /4000 -user root
 
 
 
Find setgid-root files
 
$ find /bin /sbin /lib /usr/bin /usr/sbin /usr/lib -perm /2000 -group root
 
 
 
==Additional Resources==
 
* Man Page capabilities(7) setcap(8) getcap(8)
 
 
 
[[Category:Security]]
 

Latest revision as of 10:54, 11 September 2019

Capabilities (POSIX 1003.1e, capabilities(7)) provide fine-grained control over superuser permissions, allowing use of the root user to be avoided. Software developers are encouraged to replace uses of the powerful setuid attribute in a system binary with a more minimal set of capabilities. Many packages make use of capabilities, such as CAP_NET_RAW being used for the ping binary provided by iputils. This enables e.g. ping to be run by a normal user (as with the setuid method), while at the same time limiting the security consequences of a potential vulnerability in ping.

Implementation

Capabilities are implemented on Linux using extended attributes (xattr(7)) in the security namespace. Extended attributes are supported by all major Linux file systems, including Ext2, Ext3, Ext4, Btrfs, JFS, XFS, and Reiserfs. The following example prints the capabilities of ping with getcap, and then prints the same data in its encoded form using getfattr:

$ getcap /usr/bin/ping
/usr/bin/ping = cap_net_raw+ep
$ getfattr -d -m "^security\\." /usr/bin/ping
# file: usr/bin/ping
security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA=

Extended attributes are copied automatically by cp -a, but some other programs require a special flag: rsync -X.

Capabilities are set by package install scripts on Arch (e.g. iputils.install).

Administration and maintenance

It is considered a bug if a package has overly permissive capabilities, so these cases should be reported rather than listed here. A capability essentially equivalent to root access (CAP_SYS_ADMIN) or trivially allowing root access (CAP_DAC_OVERRIDE) does not count as a bug since Arch does not support any MAC/RBAC systems.

Warning: Many capabilities enable trivial privilege escalation. For examples and explanations see Brad Spengler's post False Boundaries and Arbitrary Code Execution.

Other programs that benefit from capabilities

The following packages do not have files with the setuid attribute but require root privileges to work. By enabling some capabilities, regular users can use the program without privilege elevation.

beep

# setcap cap_dac_override,cap_sys_tty_config+ep /usr/bin/beep

chvt

# setcap cap_dac_read_search,cap_sys_tty_config+ep /usr/bin/chvt

iftop

# setcap cap_net_raw+ep /usr/bin/iftop

mii-tool

# setcap cap_net_admin+ep /usr/bin/mii-tool

mtr

# setcap cap_net_raw+ep /usr/bin/mtr-packet

nethogs

# setcap cap_net_admin,cap_net_raw+ep /usr/bin/nethogs

Useful commands

Find setuid-root files:

$ find /usr/bin /usr/lib -perm /4000 -user root

Find setgid-root files:

$ find /usr/bin /usr/lib -perm /2000 -group root

See also