This total is divided into three series:
Linux Capabilities introductory tutorial: basic combat chapter
to be continued...
The article describes the background of the birth of Linux capabilities and basic principles, this article will show you how to view and setting file capabilities through specific examples.
Linux system provides two major tools to manage capabilities: libcapand libcap-ng. libcapProvided getcapand setcaptwo commands are viewing capabilities and settings files, while also providing a capshview of the current shell process capabilities. libcap-ngEasier to use, use the same command filecapto view and setting capabilities.
1 libcap
Installation is very simple to CentOS, for example, can be installed by the following command:
$ yum install -y libcapIf you want to see the capabilities of the current shell process, you can use capshthe command. The following is the root user CentOS system performs capshoutput:
$ capsh --print
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root)explain:
Current : Indicates the current Effective capabilities and Permitted capabilities shell process. May contain a plurality of packets, each packet representation is
capability[,capability…]+(e|i|p)whereinerepresents Effective,irepresents the Inheritable,pexpressed permitted. Between different groups separated by a space, for example:Current: = cap_sys_chroot+ep cap_net_bind_service+eip. As another example,cap_net_bind_service+e cap_net_bind_service+ipandcap_net_bind_service+eipequivalents.The SET Bounding : Here are just a representation Bounding collection capabilities, not including other collections, so do not add end of the packet
+....Securebits : I did not figure out what the hell this is.
This information is more limited command output and complete information can view the / proc file system, such as the current shell process you can view /proc/$$/status. One of the important status that NoNewPrivscan be viewed with the following command:
grep NoNewPrivs /proc/$$/status
NoNewPrivs: 0According to (2) prctl description, since Linux 4.10 start, /proc/[pid]/statusthe NoNewPrivsvalue represents a thread no_new_privsattributes. As to no_new_privswhether it is doing, here I am alone explain.
no_new_privs
Under normal circumstances, execve()the system calls the process can be given permission to start a new parent process is not the most common example is by setuidand setgidto set up procedures and processes uid and gid access to files. This gives mischievously drilled a lot of loopholes, the process can be directly elevated privileges by fork, so as to achieve ulterior motives.
To solve this problem, Linux kernel from the 3.5 release, the introduction of the no_new_privsproperty (actually a bit, you can turn on and off), to provide a way to process the execve()call can be continued throughout the stages of an effective and safe method.
Opened
no_new_privsafter, execve function ensures that all operations must call theexecve()judge and can be performed after given permission. This ensures that the thread and the child thread are unable to obtain additional privileges, because they can not execute setuid and setgid, can not set permissions files.Once the current thread
no_new_privsafter being set, whether by fork, clone or execve generated sub-thread can clear this bit.
Docker parameter may --security-optbe turned on no_new_privsattributes such as: docker run --security-opt=no_new_privs busybox. Let's look at an example to understand no_new_privsthe role of property.
First line and C code, displays the effective user id of the current process:
$ cat testnnp.c
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
int main(int argc, char *argv[])
{
printf("Effective uid: %d\n", geteuid());
return 0;
}$ make testnnp
cc testnnp.c -o testnnpThe executable file into the docker mirror:
FROM fedora:latest
ADD testnnp /root/testnnp
RUN chmod +s /root/testnnp
ENTRYPOINT /root/testnnpConstruction of the mirror:
$ docker build -t testnnp .
Step 1 : FROM fedora:latest
---> 760a896a323f
Step 2 : ADD testnnp /root/testnnp
---> 6c700f277948
Removing intermediate container 0981144fe404
Step 3 : RUN chmod +s /root/testnnp
---> Running in c1215bfbe825
---> f1f07d05a691
Removing intermediate container c1215bfbe825
Step 4 : ENTRYPOINT /root/testnnp
---> Running in 5a4d324d54fa
---> 44f767c67e30
Removing intermediate container 5a4d324d54fa
Successfully built 44f767c67e30Here to do two experiments, the first to open in the absence of no-new-privilegesstarting container in the case of:
$ docker run -it --rm --user=1000 testnnp
Effective uid: 0From the output perspective, just give executable file the SUID identity, even if we use the average user (UID = 1000) to run an effective user container, the process will become root.
Followed by opening no-new-privilegesthe starting container premise to prevent executable files on execution SUID identification UID conversion is performed:
$ docker run -it --rm --user=1000 --security-opt=no-new-privileges testnnp
Effective uid: 1000It can be seen opened no_new_privsafter the property, even if the executable file the SUID identity, the thread will not become effective user ID root. Even though the image of the code has a security risk, you can still prevent it elevate the privilege to avoid being attacked.
Kubernetes can also open no_new_privs, but the logic a little more complicated. When the Pod SecurityContextin the definition of allowPrivilegeEscalationthe time field is false (default is to false), if any of the following conditions is not satisfied, opens no_new_privsproperties:
already setup
privileged=trueIncreased
CAP_SYS_ADMINcapabilities, that is,capAdd=CAP_SYS_ADMINAs root, i.e. UID = 0
For example, when set up privileged=trueand allowPrivilegeEscalation=falsewhen it will not open no_new_privsproperties. Similarly, set up capAdd=CAP_SYS_ADMINand allowPrivilegeEscalation=falseit will not open no_new_privsproperties.
Management capabilities
You can getcapview the document capabilities, such as:
$ getcap /bin/ping /usr/sbin/arping
/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/arping = cap_net_raw+pYou can also use -rparameters to recursive query:
$ getcap -r /usr 2>/dev/null
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/bin/newgidmap = cap_setgid+ep
/usr/bin/newuidmap = cap_setuid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+pIf you want to see the capabilities of a process it can be used directly getpcaps, back to keep the process PID:
$ getpcaps 1234If you want to see a set of interrelated capabilities threads (such as nginx), so you can view:
$ getpcaps $(pgrep nginx)Here you will see only the main thread only capabilities, the child thread and other workers do not have capabilities, this is because only the master was required special privileges, such as listening to the network ports, other threads need only respond to requests just fine.
Capabilities settings file can use setcapthe following syntax:
$ setcap CAP+set filenameFor example, CAP_CHOWNand CAP_DAC_OVERRIDEcapabilities to add permittedand effectiveset:
$ setcap CAP_CHOWN,CAP_DAC_OVERRIDE+ep file1If you want to remove a file capabilities, you can use -rparameters:
$ setcap -r filename2-of Libcap
Installation is also very simple to CentOS as an example:
$ yum install libcap-ng-utilsusage
libcap-ng using the filecapcommand capabilities to manage files. There are a few caveats:
When filecap add or delete view capabilities, capabilities names do not need to bring
CAP_a prefix (for example, usingNET_ADMINsubstituteCAP_NET_ADMIN);filecap does not support relative paths, only support absolute paths;
filecap not allowed to specify the role of collection capabilities, capabilities will be added to
permittedandeffectivecollection.
View file capabilities:
$ filecap /full/path/to/fileView capabilities recursively all files in a directory:
$ filecap /full/path/to/dirE.g:
$ filecap /usr/bin
file capabilities
/usr/bin/newgidmap setgid
/usr/bin/newuidmap setuidNote: filecap only show "capabilities are added to
permittedandeffectiveset" document. So there is no display ping and arping.
View all recursive capabilities of the entire file system:
$ filecap /
# or
$ filecap -acapabilities settings file syntax is as follows:
$ filecap /full/path/to/file cap_nameE.g:
$ filecap /usr/bin/tac dac_overrideRemove the capabilities of a file:
$ filecap /full/path/to/file none3 summary
This article demonstrates how to manage executable file capabilities, and to docker, for example, demonstrated two tools no_new_privspower of the. If conditions permit, we recommend later try to use the capabilities to replace the complete set SUID root privileges or identity.
4 References
Micro-channel public number
The following sweep the two-dimensional code micro-channel public concern number, reply ◉ ◉ plus group to join our cloud-native Exchange Group, and Sun Hongliang, Zhangguan Chang, Yang Ming and other native chiefs to discuss cloud technology in the public No.
