Capabilities: Difference between revisions

From ArchWiki
m (→‎See also: Style: Use "Wikibooks:" interwiki prefix instead of external link syntax.)
(→‎Running a program with temporary capabilities: revert https://wiki.archlinux.org/index.php?title=Capabilities&diff=next&oldid=794809 - sudo's -E flag is common enough and the Help:Style#Spelling section does not apply to command options)
 
(29 intermediate revisions by 9 users not shown)
Line 2: Line 2:
[[ja:ケイパビリティ]]
[[ja:ケイパビリティ]]
[[pt:Capabilities]]
[[pt:Capabilities]]
[[ru:Capabilities]]
[[zh-hans:Capabilities]]
[[zh-hans:Capabilities]]
Capabilities (POSIX 1003.1e, {{man|7|capabilities}}) provide fine-grained control over superuser permissions, allowing use of the root user to be avoided. Software developers are encouraged to replace uses of the powerful [[wikipedia:Setuid|setuid]] attribute in a system binary with a more minimal set of capabilities. Many packages make use of capabilities, such as {{ic|CAP_NET_RAW}} being used for the {{ic|ping}} binary provided by {{pkg|iputils}}. This enables e.g. {{ic|ping}} to be run by a normal user (as with the '''setuid''' method), while at the same time limiting the security consequences of a potential vulnerability in {{ic|ping}}.
Capabilities (POSIX 1003.1e, {{man|7|capabilities}}) provide fine-grained control over superuser permissions, allowing use of the root user to be avoided. Software developers are encouraged to replace uses of the powerful [[wikipedia:Setuid|setuid]] attribute in a system binary with a more minimal set of capabilities. Many packages make use of capabilities, such as {{ic|CAP_NET_RAW}} being used for {{Pkg|fping}}. This enables {{ic|fping}} to be run by a normal user (as with the '''setuid''' method), while at the same time limiting the security consequences of a potential vulnerability in {{ic|fping}}.


== Implementation ==
== Implementation ==


Capabilities are implemented on Linux using [[extended attributes]] ({{man|7|xattr}}) in the ''security'' namespace. Extended attributes are supported by all major Linux [[file systems]], including Ext2, Ext3, Ext4, Btrfs, JFS, XFS, and Reiserfs. The following example prints the capabilities of ping with {{ic|getcap}}, and then prints the same data in its encoded form using {{ic|getfattr}}:
Capabilities are implemented on Linux using [[extended attributes]] ({{man|7|xattr}}) in the ''security'' namespace. Extended attributes are supported by all major Linux [[file systems]], including Ext2, [[Ext3]], [[Ext4]], [[Btrfs]], [[JFS]], [[XFS]], and Reiserfs. The following example prints the capabilities of fping with {{ic|getcap}}, and then prints the same data in its encoded form using {{ic|getfattr}}:


{{hc|$ getcap /usr/bin/ping|2=
{{hc|$ getcap /usr/bin/fping|2=
/usr/bin/ping = cap_net_raw+ep
/usr/bin/fping cap_net_raw=ep
}}
}}


{{hc|$ getfattr -d -m "^security\\." /usr/bin/ping|2=
{{hc|1=$ getfattr --dump --match="^security\\." /usr/bin/fping|2=
# file: usr/bin/ping
# file: usr/bin/fping
security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA=
security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA=
}}
}}


Extended attributes are copied automatically by {{ic|cp -a}}, but some other programs require a special flag: {{ic|rsync -X}}.
Some programs copy extended attributes automatically, while others require a special flag. Examples for both classes are at [[extended attributes#Preserving extended attributes]].


Capabilities are set by package install scripts on Arch (e.g. {{ic|iputils.install}}).
Capabilities are set by [[PKGBUILD#install|package install scripts]] on Arch, e.g. [https://gitlab.archlinux.org/archlinux/packaging/packages/fping/-/blob/main/fping.install fping.install].


== Administration and maintenance ==
== Administration and maintenance ==


It is considered a bug if a package has overly permissive capabilities, so these cases should be reported rather than listed here. A capability essentially equivalent to root access ({{ic|CAP_SYS_ADMIN}}) or trivially allowing root access ({{ic|CAP_DAC_OVERRIDE}}) does not count as a bug since Arch does not support any [[Security#Mandatory access control|MAC/RBAC]] systems.
It is considered a bug if a package has overly permissive capabilities, so these cases should be reported rather than listed here. A capability essentially equivalent to root access ({{ic|CAP_SYS_ADMIN}}) or trivially allowing root access ({{ic|CAP_DAC_OVERRIDE}}) does not count as a bug since Arch does not support any [[Security#Mandatory access control|MAC]]/[[w:Role-based access control|RBAC]] systems.


{{Warning|1=Many capabilities enable trivial privilege escalation. For examples and explanations see Brad Spengler's post [https://forums.grsecurity.net/viewtopic.php?f=7&t=2522&sid=c6fbcf62fd5d3472562540a7e608ce4e#p10271 False Boundaries and Arbitrary Code Execution].}}
{{Warning|1=Many capabilities enable trivial privilege escalation. For examples and explanations see Brad Spengler's post [https://forums.grsecurity.net/viewtopic.php?f=7&t=2522&sid=c6fbcf62fd5d3472562540a7e608ce4e#p10271 False Boundaries and Arbitrary Code Execution].}}
Line 32: Line 33:
The following packages do not have files with the setuid attribute but require root privileges to work. By enabling some capabilities, regular users can use the program without privilege elevation.
The following packages do not have files with the setuid attribute but require root privileges to work. By enabling some capabilities, regular users can use the program without privilege elevation.


=== beep ===
The {{ic|+ep}} behind the capabilities indicate the capability sets ''effective'' and ''permitted'', more information can be found at {{man|7|capabilities|File capabilities}}.


# setcap cap_dac_override,cap_sys_tty_config+ep /usr/bin/beep
{| class=wikitable
 
! program || Command (run as root)
=== chvt ===
|-
 
| [[Beep]] || {{ic|setcap cap_dac_override,cap_sys_tty_config+ep /usr/bin/beep}}
# setcap cap_dac_read_search,cap_sys_tty_config+ep /usr/bin/chvt
|-
 
| {{man|1|chvt}} || {{ic|setcap cap_dac_read_search,cap_sys_tty_config+ep /usr/bin/chvt}}
=== iftop ===
|-
 
| {{man|8|iftop}} || {{ic|setcap cap_net_raw+ep /usr/bin/iftop}}
# setcap cap_net_raw+ep /usr/bin/iftop
|-
 
| {{man|8|mii-tool}} || {{ic|setcap cap_net_admin+ep /usr/bin/mii-tool}}
=== mii-tool ===
|-
 
| {{man|8|mtr}} || {{ic|setcap cap_net_raw+ep /usr/bin/mtr-packet}}
# setcap cap_net_admin+ep /usr/bin/mii-tool
|-
 
| {{man|8|nethogs}} || {{ic|setcap cap_net_admin,cap_net_raw+ep /usr/bin/nethogs}}
=== mtr ===
|-
 
| {{man|1|wavemon}} || {{ic|setcap cap_net_admin+ep /usr/bin/wavemon}}
# setcap cap_net_raw+ep /usr/bin/mtr-packet
|}
 
=== nethogs ===
 
# setcap cap_net_admin,cap_net_raw+ep /usr/bin/nethogs
 
=== wavemon ===
 
# setcap cap_net_admin+ep /usr/bin/wavemon


== Useful commands ==
== Useful commands ==
Line 72: Line 65:
== Running a program with temporary capabilities ==
== Running a program with temporary capabilities ==


Using {{man|1|capsh}} it is possible to run a program with some specific capabilities without modifying the extended attributes of the binary.
Using {{man|1|capsh}} it is possible to run a program with some specific capabilities without modifying the extended attributes of the binary. The following example shows how to attach to a process using [[GDB]] using the {{ic|CAP_SYS_PTRACE}} capability:
The following example shows how to attach to a process using [[GDB]] using the {{ic|CAP_SYS_PTRACE}} capability:


  $ sudo -E capsh --caps="cap_setpcap,cap_setuid,cap_setgid+ep cap_sys_ptrace+eip" --keep=1 --user="$USER" --addamb="cap_sys_ptrace" --shell=/usr/bin/gdb -- -p <pid>
  $ sudo -E capsh --caps="cap_setpcap,cap_setuid,cap_setgid+ep cap_sys_ptrace+eip" --keep=1 --user="$USER" --addamb="cap_sys_ptrace" --shell=/usr/bin/gdb -- -p <pid>


An example of binding to a low port using [[netcat]]:
The {{ic|-E}} is supplied to {{ic|sudo}} above to pass the current user's login environment, ''e.g.,'' the {{ic|PATH}} variable and so on, to the child process(es).
 
An example of binding to a low port using [[netcat]], in this case 123:


  $ sudo -E capsh --caps="cap_setpcap,cap_setuid,cap_setgid+ep cap_net_bind_service+eip" --keep=1 --user="$USER" --addamb="cap_net_bind_service" --shell=/usr/bin/nc -- -lvtn 123
  $ sudo -E capsh --caps="cap_setpcap,cap_setuid,cap_setgid+ep cap_net_bind_service+eip" --keep=1 --user="$USER" --addamb="cap_net_bind_service" --shell=/usr/bin/nc -- -lvtn 123
  Listening on 0.0.0.0 123
  Listening on 0.0.0.0 123
Both of the above examples are really just for illustrative purposes, as (on most systems) you would be able to attach debugger to a process owned by any user, or open a port < 1024 as the root user, regardless. The use of {{ic|capsh}} may provide some security benefits, though, as {{ic|capsh --user}} runs as the named user, with all the normal kernel capabilities (''i.e.'', restrictions) in place.


== See also ==
== See also ==
Line 86: Line 82:
* Man pages: {{man|7|capabilities}}, {{man|8|setcap}}, {{man|8|getcap}}
* Man pages: {{man|7|capabilities}}, {{man|8|setcap}}, {{man|8|getcap}}
* [[Wikibooks:Grsecurity/Appendix/Capability Names and Descriptions]]
* [[Wikibooks:Grsecurity/Appendix/Capability Names and Descriptions]]
* [https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html Seccomp BPF (SECure COMPuting with filters)]
* [https://docs.kernel.org/userspace-api/seccomp_filter.html Seccomp BPF (SECure COMPuting with filters)]

Latest revision as of 21:42, 25 December 2023

Capabilities (POSIX 1003.1e, capabilities(7)) provide fine-grained control over superuser permissions, allowing use of the root user to be avoided. Software developers are encouraged to replace uses of the powerful setuid attribute in a system binary with a more minimal set of capabilities. Many packages make use of capabilities, such as CAP_NET_RAW being used for fping. This enables fping to be run by a normal user (as with the setuid method), while at the same time limiting the security consequences of a potential vulnerability in fping.

Implementation

Capabilities are implemented on Linux using extended attributes (xattr(7)) in the security namespace. Extended attributes are supported by all major Linux file systems, including Ext2, Ext3, Ext4, Btrfs, JFS, XFS, and Reiserfs. The following example prints the capabilities of fping with getcap, and then prints the same data in its encoded form using getfattr:

$ getcap /usr/bin/fping
/usr/bin/fping cap_net_raw=ep
$ getfattr --dump --match="^security\\." /usr/bin/fping
# file: usr/bin/fping
security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA=

Some programs copy extended attributes automatically, while others require a special flag. Examples for both classes are at extended attributes#Preserving extended attributes.

Capabilities are set by package install scripts on Arch, e.g. fping.install.

Administration and maintenance

It is considered a bug if a package has overly permissive capabilities, so these cases should be reported rather than listed here. A capability essentially equivalent to root access (CAP_SYS_ADMIN) or trivially allowing root access (CAP_DAC_OVERRIDE) does not count as a bug since Arch does not support any MAC/RBAC systems.

Warning: Many capabilities enable trivial privilege escalation. For examples and explanations see Brad Spengler's post False Boundaries and Arbitrary Code Execution.

Other programs that benefit from capabilities

The following packages do not have files with the setuid attribute but require root privileges to work. By enabling some capabilities, regular users can use the program without privilege elevation.

The +ep behind the capabilities indicate the capability sets effective and permitted, more information can be found at capabilities(7) § File capabilities.

program Command (run as root)
Beep setcap cap_dac_override,cap_sys_tty_config+ep /usr/bin/beep
chvt(1) setcap cap_dac_read_search,cap_sys_tty_config+ep /usr/bin/chvt
iftop(8) setcap cap_net_raw+ep /usr/bin/iftop
mii-tool(8) setcap cap_net_admin+ep /usr/bin/mii-tool
mtr(8) setcap cap_net_raw+ep /usr/bin/mtr-packet
nethogs(8) setcap cap_net_admin,cap_net_raw+ep /usr/bin/nethogs
wavemon(1) setcap cap_net_admin+ep /usr/bin/wavemon

Useful commands

Find setuid-root files:

$ find /usr/bin /usr/lib -perm /4000 -user root

Find setgid-root files:

$ find /usr/bin /usr/lib -perm /2000 -group root

Running a program with temporary capabilities

Using capsh(1) it is possible to run a program with some specific capabilities without modifying the extended attributes of the binary. The following example shows how to attach to a process using GDB using the CAP_SYS_PTRACE capability:

$ sudo -E capsh --caps="cap_setpcap,cap_setuid,cap_setgid+ep cap_sys_ptrace+eip" --keep=1 --user="$USER" --addamb="cap_sys_ptrace" --shell=/usr/bin/gdb -- -p <pid>

The -E is supplied to sudo above to pass the current user's login environment, e.g., the PATH variable and so on, to the child process(es).

An example of binding to a low port using netcat, in this case 123:

$ sudo -E capsh --caps="cap_setpcap,cap_setuid,cap_setgid+ep cap_net_bind_service+eip" --keep=1 --user="$USER" --addamb="cap_net_bind_service" --shell=/usr/bin/nc -- -lvtn 123
Listening on 0.0.0.0 123

Both of the above examples are really just for illustrative purposes, as (on most systems) you would be able to attach debugger to a process owned by any user, or open a port < 1024 as the root user, regardless. The use of capsh may provide some security benefits, though, as capsh --user runs as the named user, with all the normal kernel capabilities (i.e., restrictions) in place.

See also