Capabilities

From ArchWiki
Revision as of 22:22, 23 March 2009 by Djgera (Talk | contribs) (Created page with '{{stub}} = Introduction = The intention of this article is to remove the setuid attribute in the binaries that require certain root-privileges. In this way, it eliminates the ne...')

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Tango-document-new.pngThis article is a stub.Tango-document-new.png

Notes: please use the first argument of the template to provide more detailed indications. (Discuss in Talk:Capabilities#)

Introduction

The intention of this article is to remove the setuid attribute in the binaries that require certain root-privileges. In this way, it eliminates the need for "all or nothing", using a fine grained control with POSIX 1003.1e capabilities.


Prerequisites

You need libcap version 2, which is currently in the repo [testing], for setting file capabalities extended attributes.

pacman -S libcap

Setuid-root files by repo

[core]

coreutils

chmod u-s /bin/su
setcap cap_setgid,cap_setuid+ep /bin/su

dcron

chmod u-s /usr/bin/crontab
setcap cap_dac_override,cap_setgid+ep /usr/bin/crontab

inetutils

chmod u-s /usr/bin/rsh
setcap cap_net_bind_service+ep /usr/bin/rsh
chmod u-s /usr/bin/rcp
setcap cap_net_bind_service+ep /usr/bin/rcp
chmod u-s /usr/bin/rlogin
setcap cap_net_bind_service+ep /usr/bin/rlogin

iputils

chmod u-s /bin/ping
setcap cap_net_raw+ep /bin/ping
chmod u-s /bin/ping6
setcap cap_net_raw+ep /bin/ping6
chmod u-s /bin/traceroute
setcap cap_net_raw+ep /bin/traceroute
chmod u-s /bin/traceroute6
setcap cap_net_raw+ep /bin/traceroute6

pam

chmod u-s /sbin/unix_chkpwd
setcap cap_dac_read_search+ep /sbin/unix_chkpwd

shadow

chmod u-s /usr/bin/chage
setcap cap_dac_read_search+ep /usr/bin/chage
chmod u-s /usr/bin/chfn
setcap cap_chown,cap_setuid+ep /usr/bin/chfn
chmod u-s /usr/bin/chsh
setcap cap_chown,cap_setuid+ep /usr/bin/chsh
chmod u-s /usr/bin/expiry
setcap cap_dac_override,cap_setgid+ep /usr/bin/expiry
chmod u-s /usr/bin/gpasswd
setcap cap_chown,cap_dac_override,cap_setuid+ep /usr/bin/gpasswd
chmod u-s /usr/bin/newgrp
setcap cap_dac_override,cap_setgid+ep /usr/bin/newgrp
chmod u-s /usr/bin/passwd
setcap cap_chown,cap_dac_override,cap_fowner+ep /usr/bin/passwd

sudo

Sudo is the only one that does not make sense to remove all root privileges. Unless you use to perform some specific tasks.

util-linux-ng

chmod u-s /bin/mount
setcap cap_dac_override,cap_sys_admin+ep /bin/mount
chmod u-s /bin/umount
setcap cap_dac_override,cap_sys_admin+ep /bin/umount


[extra]

xorg-xserver

chmod u-s /usr/bin/Xorg
setcap cap_chown,cap_dac_override,cap_sys_rawio,cap_sys_admin+ep /usr/bin/Xorg


[community]

Useful commands

Find setuid files

find /bin /sbin/ /usr/bin/ /usr/sbin/ -perm +4000


Additional Resources

  • Man Page capabilities(7) setcap(8) getcap(8)