Capabilities (POSIX 1003.1e, setuid attribute in a system binary with a more minimal set of capabilities. Many packages make use of capabilities, such as
CAP_NET_RAW being used for . This enables
fping to be run by a normal user (as with the setuid method), while at the same time limiting the security consequences of a potential vulnerability in
Capabilities are implemented on Linux using extended attributes ( ) in the security namespace. Extended attributes are supported by all major Linux file systems, including Ext2, Ext3, Ext4, Btrfs, JFS, XFS, and Reiserfs. The following example prints the capabilities of fping with
getcap, and then prints the same data in its encoded form using
$ getcap /usr/bin/fping
$ getfattr -d -m "^security\\." /usr/bin/fping
# file: usr/bin/fping security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA=
Extended attributes are copied automatically by
cp -a, but some other programs require a special flag:
Capabilities are set by package install scripts on Arch (e.g.
Administration and maintenance
It is considered a bug if a package has overly permissive capabilities, so these cases should be reported rather than listed here. A capability essentially equivalent to root access (
CAP_SYS_ADMIN) or trivially allowing root access (
CAP_DAC_OVERRIDE) does not count as a bug since Arch does not support any MAC/RBAC systems.
Other programs that benefit from capabilities
The following packages do not have files with the setuid attribute but require root privileges to work. By enabling some capabilities, regular users can use the program without privilege elevation.
+ep behind the capabilities indicate the capability sets effective and permitted, more information can be found at .
# setcap cap_dac_override,cap_sys_tty_config+ep /usr/bin/beep
# setcap cap_dac_read_search,cap_sys_tty_config+ep /usr/bin/chvt
# setcap cap_net_raw+ep /usr/bin/iftop
# setcap cap_net_admin+ep /usr/bin/mii-tool
# setcap cap_net_raw+ep /usr/bin/mtr-packet
# setcap cap_net_admin,cap_net_raw+ep /usr/bin/nethogs
# setcap cap_net_admin+ep /usr/bin/wavemon
Find setuid-root files:
$ find /usr/bin /usr/lib -perm /4000 -user root
Find setgid-root files:
$ find /usr/bin /usr/lib -perm /2000 -group root
Running a program with temporary capabilities
Using GDB using the
$ sudo -E capsh --caps="cap_setpcap,cap_setuid,cap_setgid+ep cap_sys_ptrace+eip" --keep=1 --user="$USER" --addamb="cap_sys_ptrace" --shell=/usr/bin/gdb -- -p <pid>
-E is supplied to
sudo above to pass the current user's login environment, e.g., the
PATH variable and so on, to the child process(es).
An example of binding to a low port using netcat, in this case 123:
$ sudo -E capsh --caps="cap_setpcap,cap_setuid,cap_setgid+ep cap_net_bind_service+eip" --keep=1 --user="$USER" --addamb="cap_net_bind_service" --shell=/usr/bin/nc -- -lvtn 123 Listening on 0.0.0.0 123
Both of the above examples are really just for illustrative purposes, as (on most systems) you would be able to attach debugger to a process owned by any user, or open a port < 1024 as the root user, regardless. The use of
capsh may provide some security benefits, though, as
capsh --user runs as the named user, with all the normal kernel capabilities (i.e., restrictions) in place.