Difference between revisions of "Capabilities"

From ArchWiki
Jump to: navigation, search
m (usr merge)
(Since this is the ARCH LINUX wiki, and Arch symlinked binary directories, reflect that. Style fixes.)
Line 3: Line 3:
 
In this way, it eliminates the need for "all or nothing", using a fine grained control with POSIX 1003.1e capabilities.
 
In this way, it eliminates the need for "all or nothing", using a fine grained control with POSIX 1003.1e capabilities.
  
'''Use with caution, some programs do not know about file capabilities. It apparently works correctly, but have some unexpected side effects (see for example [[#util-linux-ng]])'''
+
{{Warning|Use with caution, some programs do not know about file capabilities. It apparently works correctly, but have some unexpected side effects (see for example [[#util-linux-ng|util-linux-ng]]).}}
  
==Prerequisites==
+
== Prerequisites ==
You need libcap, for setting file capabalities that are extended attributes, with the utility setcap.
+
# pacman -S libcap
+
  
==Setuid-root files by package==
+
You need to [[pacman|install]] {{Pkg|libcap}}, for setting file capabalities that are extended attributes, with the utility ''setcap''.
  
===coreutils===
+
== Setuid-root files by package ==
  
{{Note|Warning: Do not use it, because su will return incorrect password.}}
+
=== coreutils ===
  
# chmod u-s /bin/su
+
{{Warning|Do not use it, because su will return incorrect password.}}
# setcap cap_setgid,cap_setuid+ep /bin/su
+
  
===dcron===
+
# chmod u-s /usr/bin/su
 +
# setcap cap_setgid,cap_setuid+ep /usr/bin/su
 +
 
 +
=== dcron ===
  
 
  # chmod u-s /usr/bin/crontab
 
  # chmod u-s /usr/bin/crontab
 
  # setcap cap_dac_override,cap_setgid+ep /usr/bin/crontab
 
  # setcap cap_dac_override,cap_setgid+ep /usr/bin/crontab
  
===inetutils===
+
=== inetutils ===
  
 
  # chmod u-s /usr/bin/rsh
 
  # chmod u-s /usr/bin/rsh
 
  # setcap cap_net_bind_service+ep /usr/bin/rsh
 
  # setcap cap_net_bind_service+ep /usr/bin/rsh
 
+
 
  # chmod u-s /usr/bin/rcp
 
  # chmod u-s /usr/bin/rcp
 
  # setcap cap_net_bind_service+ep /usr/bin/rcp
 
  # setcap cap_net_bind_service+ep /usr/bin/rcp
 
+
 
  # chmod u-s /usr/bin/rlogin
 
  # chmod u-s /usr/bin/rlogin
 
  # setcap cap_net_bind_service+ep /usr/bin/rlogin
 
  # setcap cap_net_bind_service+ep /usr/bin/rlogin
  
===iputils===
+
=== iputils ===
 
+
# chmod u-s /bin/ping
+
# setcap cap_net_raw+ep /bin/ping
+
 
+
# chmod u-s /bin/ping6
+
# setcap cap_net_raw+ep /bin/ping6
+
 
+
# chmod u-s /bin/traceroute
+
# setcap cap_net_raw+ep /bin/traceroute
+
  
  # chmod u-s /bin/traceroute6
+
  # chmod u-s /usr/bin/ping
  # setcap cap_net_raw+ep /bin/traceroute6
+
# setcap cap_net_raw+ep /usr/bin/ping
 +
 +
# chmod u-s /usr/bin/ping6
 +
# setcap cap_net_raw+ep /usr/bin/ping6
 +
 +
# chmod u-s /usr/bin/traceroute
 +
# setcap cap_net_raw+ep /usr/bin/traceroute
 +
 +
# chmod u-s /usr/bin/traceroute6
 +
  # setcap cap_net_raw+ep /usr/bin/traceroute6
  
===pam===
+
=== pam ===
  
  # chmod u-s /sbin/unix_chkpwd
+
  # chmod u-s /usr/bin/unix_chkpwd
  # setcap cap_dac_read_search+ep /sbin/unix_chkpwd
+
  # setcap cap_dac_read_search+ep /usr/bin/unix_chkpwd
  
===pmount===
+
=== pmount ===
  
 
Does not work without setuid.
 
Does not work without setuid.
  
===pulseaudio===
+
=== pulseaudio ===
  
 
  # chmod u-s /usr/lib/pulse/proximity-helper
 
  # chmod u-s /usr/lib/pulse/proximity-helper
 
  # setcap cap_net_raw+ep /usr/lib/pulse/proximity-helper
 
  # setcap cap_net_raw+ep /usr/lib/pulse/proximity-helper
  
===screen===
+
=== screen ===
  
Needs setuid for multiuser sessions, but if you don't need that feature, you can safely turn off setuid.
+
Needs setuid for multiuser sessions, but if you do not need that feature, you can safely turn off setuid.
  
===shadow===
+
=== shadow ===
  
 
  # chmod u-s /usr/bin/chage
 
  # chmod u-s /usr/bin/chage
 
  # setcap cap_dac_read_search+ep /usr/bin/chage
 
  # setcap cap_dac_read_search+ep /usr/bin/chage
 
+
 
  # chmod u-s /usr/bin/chfn
 
  # chmod u-s /usr/bin/chfn
 
  # setcap cap_chown,cap_setuid+ep /usr/bin/chfn
 
  # setcap cap_chown,cap_setuid+ep /usr/bin/chfn
 
+
 
  # chmod u-s /usr/bin/chsh
 
  # chmod u-s /usr/bin/chsh
 
  # setcap cap_chown,cap_setuid+ep /usr/bin/chsh
 
  # setcap cap_chown,cap_setuid+ep /usr/bin/chsh
 
+
 
  # chmod u-s /usr/bin/expiry
 
  # chmod u-s /usr/bin/expiry
 
  # setcap cap_dac_override,cap_setgid+ep /usr/bin/expiry
 
  # setcap cap_dac_override,cap_setgid+ep /usr/bin/expiry
 
+
 
  # chmod u-s /usr/bin/gpasswd
 
  # chmod u-s /usr/bin/gpasswd
 
  # setcap cap_chown,cap_dac_override,cap_setuid+ep /usr/bin/gpasswd
 
  # setcap cap_chown,cap_dac_override,cap_setuid+ep /usr/bin/gpasswd
 
+
 
  # chmod u-s /usr/bin/newgrp
 
  # chmod u-s /usr/bin/newgrp
 
  # setcap cap_dac_override,cap_setgid+ep /usr/bin/newgrp
 
  # setcap cap_dac_override,cap_setgid+ep /usr/bin/newgrp
 
+
 
  # chmod u-s /usr/bin/passwd
 
  # chmod u-s /usr/bin/passwd
 
  # setcap cap_chown,cap_dac_override,cap_fowner+ep /usr/bin/passwd
 
  # setcap cap_chown,cap_dac_override,cap_fowner+ep /usr/bin/passwd
  
===sudo===
+
=== sudo ===
  
 
Sudo does not work without setuid.
 
Sudo does not work without setuid.
  
===util-linux-ng===
+
=== util-linux-ng ===
  
{{Note|Warning: Do not use it, because mount and umount can not do some checks, then users can mount/umount filesystems that do not have permission.}}
+
{{Warning|Do not use it, because mount and umount can not do some checks, then users can mount/umount filesystems that do not have permission.}}
  
  # chmod u-s /bin/mount
+
  # chmod u-s /usr/bin/mount
  # setcap cap_dac_override,cap_sys_admin+ep /bin/mount
+
  # setcap cap_dac_override,cap_sys_admin+ep /usr/bin/mount
 +
 +
# chmod u-s /usr/bin/umount
 +
# setcap cap_dac_override,cap_sys_admin+ep /usr/bin/umount
  
# chmod u-s /bin/umount
+
=== xorg-xserver ===
# setcap cap_dac_override,cap_sys_admin+ep /bin/umount
+
 
+
===xorg-xserver===
+
  
 
  # chmod u-s /usr/bin/Xorg
 
  # chmod u-s /usr/bin/Xorg
 
  # setcap cap_chown,cap_dac_override,cap_sys_rawio,cap_sys_admin+ep /usr/bin/Xorg
 
  # setcap cap_chown,cap_dac_override,cap_sys_rawio,cap_sys_admin+ep /usr/bin/Xorg
  
==Other programs that benefit from capabilities==
+
== Other programs that benefit from capabilities ==
  
 
The following packages do not have files with the setuid attribute but require root privileges to work. By enabling some capabilities, regular users can use the program without privilege elevation.
 
The following packages do not have files with the setuid attribute but require root privileges to work. By enabling some capabilities, regular users can use the program without privilege elevation.
  
===beep===
+
=== beep ===
  
 
  # setcap cap_dac_override,cap_sys_tty_config+ep /usr/bin/beep
 
  # setcap cap_dac_override,cap_sys_tty_config+ep /usr/bin/beep
  
===chvt===
+
=== chvt ===
  
 
  # setcap cap_dac_read_search,cap_sys_tty_config+ep /usr/bin/chvt
 
  # setcap cap_dac_read_search,cap_sys_tty_config+ep /usr/bin/chvt
  
===iftop===
+
=== iftop ===
  
  # setcap cap_net_raw+ep /usr/sbin/iftop
+
  # setcap cap_net_raw+ep /usr/bin/iftop
  
===mii-tool===
+
=== mii-tool ===
  
  # setcap cap_net_admin+ep /sbin/mii-tool
+
  # setcap cap_net_admin+ep /usr/bin/mii-tool
  
==Useful commands==
+
== Useful commands ==
Find setuid-root files
+
 
 +
Find setuid-root files:
 
  $ find /usr/bin /usr/lib -perm /4000 -user root
 
  $ find /usr/bin /usr/lib -perm /4000 -user root
  
Find setgid-root files
+
Find setgid-root files:
 
  $ find /usr/bin /usr/lib -perm /2000 -group root
 
  $ find /usr/bin /usr/lib -perm /2000 -group root
  
==Additional Resources==
+
== See also ==
 +
 
 
* Man Page capabilities(7) setcap(8) getcap(8)
 
* Man Page capabilities(7) setcap(8) getcap(8)

Revision as of 13:09, 14 November 2013

The intention of this article is to remove the setuid attribute in the binaries that require certain root-privileges. In this way, it eliminates the need for "all or nothing", using a fine grained control with POSIX 1003.1e capabilities.

Warning: Use with caution, some programs do not know about file capabilities. It apparently works correctly, but have some unexpected side effects (see for example util-linux-ng).

Prerequisites

You need to install libcap, for setting file capabalities that are extended attributes, with the utility setcap.

Setuid-root files by package

coreutils

Warning: Do not use it, because su will return incorrect password.
# chmod u-s /usr/bin/su
# setcap cap_setgid,cap_setuid+ep /usr/bin/su

dcron

# chmod u-s /usr/bin/crontab
# setcap cap_dac_override,cap_setgid+ep /usr/bin/crontab

inetutils

# chmod u-s /usr/bin/rsh
# setcap cap_net_bind_service+ep /usr/bin/rsh

# chmod u-s /usr/bin/rcp
# setcap cap_net_bind_service+ep /usr/bin/rcp

# chmod u-s /usr/bin/rlogin
# setcap cap_net_bind_service+ep /usr/bin/rlogin

iputils

# chmod u-s /usr/bin/ping
# setcap cap_net_raw+ep /usr/bin/ping

# chmod u-s /usr/bin/ping6
# setcap cap_net_raw+ep /usr/bin/ping6

# chmod u-s /usr/bin/traceroute
# setcap cap_net_raw+ep /usr/bin/traceroute

# chmod u-s /usr/bin/traceroute6
# setcap cap_net_raw+ep /usr/bin/traceroute6

pam

# chmod u-s /usr/bin/unix_chkpwd
# setcap cap_dac_read_search+ep /usr/bin/unix_chkpwd

pmount

Does not work without setuid.

pulseaudio

# chmod u-s /usr/lib/pulse/proximity-helper
# setcap cap_net_raw+ep /usr/lib/pulse/proximity-helper

screen

Needs setuid for multiuser sessions, but if you do not need that feature, you can safely turn off setuid.

shadow

# chmod u-s /usr/bin/chage
# setcap cap_dac_read_search+ep /usr/bin/chage

# chmod u-s /usr/bin/chfn
# setcap cap_chown,cap_setuid+ep /usr/bin/chfn

# chmod u-s /usr/bin/chsh
# setcap cap_chown,cap_setuid+ep /usr/bin/chsh

# chmod u-s /usr/bin/expiry
# setcap cap_dac_override,cap_setgid+ep /usr/bin/expiry

# chmod u-s /usr/bin/gpasswd
# setcap cap_chown,cap_dac_override,cap_setuid+ep /usr/bin/gpasswd

# chmod u-s /usr/bin/newgrp
# setcap cap_dac_override,cap_setgid+ep /usr/bin/newgrp

# chmod u-s /usr/bin/passwd
# setcap cap_chown,cap_dac_override,cap_fowner+ep /usr/bin/passwd

sudo

Sudo does not work without setuid.

util-linux-ng

Warning: Do not use it, because mount and umount can not do some checks, then users can mount/umount filesystems that do not have permission.
# chmod u-s /usr/bin/mount
# setcap cap_dac_override,cap_sys_admin+ep /usr/bin/mount

# chmod u-s /usr/bin/umount
# setcap cap_dac_override,cap_sys_admin+ep /usr/bin/umount

xorg-xserver

# chmod u-s /usr/bin/Xorg
# setcap cap_chown,cap_dac_override,cap_sys_rawio,cap_sys_admin+ep /usr/bin/Xorg

Other programs that benefit from capabilities

The following packages do not have files with the setuid attribute but require root privileges to work. By enabling some capabilities, regular users can use the program without privilege elevation.

beep

# setcap cap_dac_override,cap_sys_tty_config+ep /usr/bin/beep

chvt

# setcap cap_dac_read_search,cap_sys_tty_config+ep /usr/bin/chvt

iftop

# setcap cap_net_raw+ep /usr/bin/iftop

mii-tool

# setcap cap_net_admin+ep /usr/bin/mii-tool

Useful commands

Find setuid-root files:

$ find /usr/bin /usr/lib -perm /4000 -user root

Find setgid-root files:

$ find /usr/bin /usr/lib -perm /2000 -group root

See also

  • Man Page capabilities(7) setcap(8) getcap(8)