Difference between revisions of "Capabilities (简体中文)"

From ArchWiki
Jump to navigation Jump to search
Line 9: Line 9:
 
== 实施方法==
 
== 实施方法==
  
Capabilities are implemented on Linux using ''[[File_permissions_and_attributes#Extended_attributes|extended attributes]]'' ({{ic|man 7 xattr}}) in the ''security'' namespace. Extended attributes are supported by all major Linux filesystems, including Ext2, Ext3, Ext4, Btrfs, JFS, XFS, and Reiserfs. 下边的例子用{{ic|getcap}}显示了ping的capabilities The following example prints the capabilities of ping with {{ic|getcap}}, and then prints the same data in its encoded form using {{ic|getfattr}}:
+
Capabilities are implemented on Linux using ''[[File_permissions_and_attributes#Extended_attributes|extended attributes]]'' ({{ic|man 7 xattr}}) in the ''security'' namespace. Extended attributes are supported by all major Linux filesystems, including Ext2, Ext3, Ext4, Btrfs, JFS, XFS, and Reiserfs. 下边的例子用{{ic|getcap}}显示了ping的capabilities , 然后用{{ic|getfattr}}在他的encoded中打印了相同的数据:
  
 
  $ getcap /bin/ping
 
  $ getcap /bin/ping

Revision as of 04:02, 27 October 2015

zh-cn:Capabilities Capabilities (POSIX 1003.1e, capabilities(7))为超级管理员提供更小粒度的控制,避免使用root权限. 软件开发者被鼓励 to replace uses of the powerful setuid attribute in a system binary with a more minimal set of capabilities. 很多软件包用了capabilities, 比如 [1]提供的pingping6使用的CAP_NET_RAW . 像是ping这样的允许被一个普通用户执行(比如在setuid模式下),同时减少了在ping里的潜在漏洞的安全隐患

前提条件

你需要安装 libcap, 用来设置文件权限, 扩展文件的能力, 使用setcap命令.

实施方法

Capabilities are implemented on Linux using extended attributes (man 7 xattr) in the security namespace. Extended attributes are supported by all major Linux filesystems, including Ext2, Ext3, Ext4, Btrfs, JFS, XFS, and Reiserfs. 下边的例子用getcap显示了ping的capabilities , 然后用getfattr在他的encoded中打印了相同的数据:

$ getcap /bin/ping
/bin/ping = cap_net_raw+ep
$ getfattr -d -m "^security\\." /bin/ping
# file: bin/ping
security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA=

Extended attributes are copied automatically by cp -a, but some other programs require a special flag: rsync -X.

Capabilities are set by package install scripts on Arch (e.g. iputils.install).

Administration and maintenance

It is considered a bug if a package has overly permissive capabilities, so these cases should be reported rather than listed here. A capability essentially equivalent to root access (CAP_SYS_ADMIN) or trivially allowing root access (CAP_DAC_OVERRIDE) does not count as a bug since Arch does not support any MAC/RBAC systems.

Warning: Many capabilities enable trivial privilege escalation. For examples and explanations see Brad Spengler's post False Boundaries and Arbitrary Code Execution.

Other programs that benefit from capabilities

The following packages do not have files with the setuid attribute but require root privileges to work. By enabling some capabilities, regular users can use the program without privilege elevation.

beep

# setcap cap_dac_override,cap_sys_tty_config+ep /usr/bin/beep

chvt

# setcap cap_dac_read_search,cap_sys_tty_config+ep /usr/bin/chvt

iftop

# setcap cap_net_raw+ep /usr/bin/iftop

mii-tool

# setcap cap_net_admin+ep /usr/bin/mii-tool

Useful commands

Find setuid-root files:

$ find /usr/bin /usr/lib -perm /4000 -user root

Find setgid-root files:

$ find /usr/bin /usr/lib -perm /2000 -group root

See also