Difference between revisions of "Capabilities"

From ArchWiki
Jump to: navigation, search
(Setuid-root files by package: add an explanation)
(pulseaudio: pulse no longer includes this file, and arch was using cap_net_raw instead of setuid before it was removed anyway)
Line 48: Line 48:
  
 
Does not work without setuid.
 
Does not work without setuid.
 
=== pulseaudio ===
 
 
# chmod u-s /usr/lib/pulse/proximity-helper
 
# setcap cap_net_raw+ep /usr/lib/pulse/proximity-helper
 
  
 
=== screen ===
 
=== screen ===

Revision as of 07:32, 30 March 2014

The intention of this article is to remove the setuid attribute in the binaries that require certain root-privileges. In this way, it eliminates the need for "all or nothing", using a fine grained control with POSIX 1003.1e capabilities. Many packages already make use of capabilities, such as CAP_NET_RAW being used for the ping and ping6 binaries provided by iputils.

Warning: Use with caution, some programs do not know about file capabilities. It apparently works correctly, but have some unexpected side effects (see for example util-linux-ng).
Warning: Many capabilities enable trivial privilege escalation. For examples and explanations see Brad Spengler's post False Boundaries and Arbitrary Code Execution.

Prerequisites

You need to install libcap, for setting file capabalities that are extended attributes, with the utility setcap.

Setuid-root files by package

This is a scratch space tracking which packages still include setuid binaries, and the capabilities that would be required instead. If there are no caveats with the solution and it provides demonstrably more security (reducing setuid to `CAP_SYS_ADMIN` is not very useful), it should be reported as a packaging bug. You likely don't want to use the commands here, as they may cause breakage and will be reverted on package upgrades anyway.

coreutils

Warning: Do not use it, because su will return incorrect password.
# chmod u-s /usr/bin/su
# setcap cap_setgid,cap_setuid+ep /usr/bin/su

dcron

# chmod u-s /usr/bin/crontab
# setcap cap_dac_override,cap_setgid+ep /usr/bin/crontab

inetutils

Note: FS#39686 tracks enabling this in the official package.
# chmod u-s /usr/bin/rsh
# setcap cap_net_bind_service+ep /usr/bin/rsh

# chmod u-s /usr/bin/rcp
# setcap cap_net_bind_service+ep /usr/bin/rcp

# chmod u-s /usr/bin/rlogin
# setcap cap_net_bind_service+ep /usr/bin/rlogin

pam

Warning: This capability allows gaining root access by reading the root password, so it's unlikely to be more secure than setuid.
# chmod u-s /usr/bin/unix_chkpwd
# setcap cap_dac_read_search+ep /usr/bin/unix_chkpwd

pmount

Does not work without setuid.

screen

Needs setuid for multiuser sessions, but if you do not need that feature, you can safely turn off setuid.

shadow

Warning: These capabilities allow gaining root access by reading the root password and/or modifying files/permissions, so it's no more secure than setuid.
# chmod u-s /usr/bin/chage
# setcap cap_dac_read_search+ep /usr/bin/chage

# chmod u-s /usr/bin/chfn
# setcap cap_chown,cap_setuid+ep /usr/bin/chfn

# chmod u-s /usr/bin/chsh
# setcap cap_chown,cap_setuid+ep /usr/bin/chsh

# chmod u-s /usr/bin/expiry
# setcap cap_dac_override,cap_setgid+ep /usr/bin/expiry

# chmod u-s /usr/bin/gpasswd
# setcap cap_chown,cap_dac_override,cap_setuid+ep /usr/bin/gpasswd

# chmod u-s /usr/bin/newgrp
# setcap cap_dac_override,cap_setgid+ep /usr/bin/newgrp

# chmod u-s /usr/bin/passwd
# setcap cap_chown,cap_dac_override,cap_fowner+ep /usr/bin/passwd

sudo

Sudo does not work without setuid.

util-linux-ng

Warning: Do not use it, because mount and umount can not do some checks, then users can mount/umount filesystems that do not have permission.
# chmod u-s /usr/bin/mount
# setcap cap_dac_override,cap_sys_admin+ep /usr/bin/mount

# chmod u-s /usr/bin/umount
# setcap cap_dac_override,cap_sys_admin+ep /usr/bin/umount

xorg-xserver

Warning: CAP_SYS_ADMIN is essentially root access. There's little to no security offered by doing this.
# chmod u-s /usr/bin/Xorg
# setcap cap_chown,cap_dac_override,cap_sys_rawio,cap_sys_admin+ep /usr/bin/Xorg

Other programs that benefit from capabilities

The following packages do not have files with the setuid attribute but require root privileges to work. By enabling some capabilities, regular users can use the program without privilege elevation.

beep

# setcap cap_dac_override,cap_sys_tty_config+ep /usr/bin/beep

chvt

# setcap cap_dac_read_search,cap_sys_tty_config+ep /usr/bin/chvt

iftop

# setcap cap_net_raw+ep /usr/bin/iftop

mii-tool

# setcap cap_net_admin+ep /usr/bin/mii-tool

Useful commands

Find setuid-root files:

$ find /usr/bin /usr/lib -perm /4000 -user root

Find setgid-root files:

$ find /usr/bin /usr/lib -perm /2000 -group root

See also

  • Man Page capabilities(7) setcap(8) getcap(8)