This total is divided into three series:
-
Linux Capabilities introductory tutorial: basic combat chapter
-
to be continued...
The article describes the background of the birth of Linux capabilities and basic principles, this article will show you how to view and setting file capabilities through specific examples.
Linux system provides two major tools to manage capabilities: libcap
and libcap-ng
. libcap
Provided getcap
and setcap
two commands are viewing capabilities and settings files, while also providing a capsh
view of the current shell process capabilities. libcap-ng
Easier to use, use the same command filecap
to view and setting capabilities.
1. libcap
Installation is very simple to CentOS, for example, can be installed by the following command:
$ yum install -y libcap
If you want to see the capabilities of the current shell process, you can use capsh
the command. The following is the root user CentOS system performs capsh
output:
$ capsh --print
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root)
explain:
-
Current : Indicates the current Effective capabilities and Permitted capabilities shell process. May contain a plurality of packets, each packet representation is
capability[,capability…]+(e|i|p)
whereine
represents Effective,i
represents the Inheritable,p
expressed permitted. Between different groups separated by a space, for example:Current: = cap_sys_chroot+ep cap_net_bind_service+eip
. As another example,cap_net_bind_service+e cap_net_bind_service+ip
andcap_net_bind_service+eip
equivalents. -
The SET Bounding : Here are just a representation Bounding collection capabilities, not including other collections, so do not add end of the packet
+...
. -
Securebits : I did not figure out what the hell this is.
This information is more limited command output and complete information can view the / proc file system, such as the current shell process you can view /proc/$$/status
. One of the important status that NoNewPrivs
can be viewed with the following command:
grep NoNewPrivs /proc/$$/status
NoNewPrivs: 0
According to (2) prctl description, since Linux 4.10 start, /proc/[pid]/status
the NoNewPrivs
value represents a thread no_new_privs
attributes. As to no_new_privs
whether it is doing, here I am alone explain.
no_new_privs
Under normal circumstances, execve()
the system calls the process can be given permission to start a new parent process is not the most common example is by setuid
and setgid
to set up procedures and processes uid and gid access to files. This gives mischievously drilled a lot of loopholes, the process can be directly elevated privileges by fork, so as to achieve ulterior motives.
To solve this problem, Linux kernel from the 3.5 release, the introduction of the no_new_privs
property (actually a bit, you can turn on and off), to provide a way to process the execve()
call can be continued throughout the stages of an effective and safe method.
-
Opened
no_new_privs
after, execve function ensures that all operations must call theexecve()
judge and can be performed after given permission. This ensures that the thread and the child thread are unable to obtain additional privileges, because they can not execute setuid and setgid, can not set permissions files. -
Once the current thread
no_new_privs
after being set, whether by fork, clone or execve generated sub-thread can clear this bit.
Docker parameter may --security-opt
be turned on no_new_privs
attributes such as: docker run --security-opt=no_new_privs busybox
. Let's look at an example to understand no_new_privs
the role of property.
First line and C code, displays the effective user id of the current process:
$ cat testnnp.c
#include <stdio.h>
#include <unistd.h> #include <sys/types.h> int main(int argc, char *argv[]) { printf("Effective uid: %d\n", geteuid()); return 0; }
$ make testnnp
cc testnnp.c -o testnnp
The executable file into the docker mirror:
FROM fedora:latest
ADD testnnp /root/testnnp
RUN chmod +s /root/testnnp ENTRYPOINT /root/testnnp
Construction of the mirror:
$ docker build -t testnnp .
Step 1 : FROM fedora:latest
---> 760a896a323f
Step 2 : ADD testnnp /root/testnnp
---> 6c700f277948
Removing intermediate container 0981144fe404
Step 3 : RUN chmod +s /root/testnnp
---> Running in c1215bfbe825
---> f1f07d05a691
Removing intermediate container c1215bfbe825
Step 4 : ENTRYPOINT /root/testnnp
---> Running in 5a4d324d54fa
---> 44f767c67e30
Removing intermediate container 5a4d324d54fa
Successfully built 44f767c67e30
Here to do two experiments, the first to open in the absence of no-new-privileges
starting container in the case of:
$ docker run -it --rm --user=1000 testnnp
Effective uid: 0
From the output perspective, just give executable file the SUID identity, even if we use the average user (UID = 1000) to run an effective user container, the process will become root.
Followed by opening no-new-privileges
the starting container premise to prevent executable files on execution SUID identification UID conversion is performed:
$ docker run -it --rm --user=1000 --security-opt=no-new-privileges testnnp
Effective uid: 1000
It can be seen opened no_new_privs
after the property, even if the executable file the SUID identity, the thread will not become effective user ID root. Even though the image of the code has a security risk, you can still prevent it elevate the privilege to avoid being attacked.
Kubernetes can also open no_new_privs
, but the logic a little more complicated. When the Pod SecurityContext
in the definition of allowPrivilegeEscalation
the time field is false (default is to false), if any of the following conditions is not satisfied, opens no_new_privs
properties:
-
already setup
privileged=true
-
Increased
CAP_SYS_ADMIN
capabilities, that is,capAdd=CAP_SYS_ADMIN
-
As root, i.e. UID = 0
For example, when set up privileged=true
and allowPrivilegeEscalation=false
when it will not open no_new_privs
properties. Similarly, we set up capAdd=CAP_SYS_ADMIN
and allowPrivilegeEscalation=false
it will not open no_new_privs
properties.
Management capabilities
You can getcap
view the document capabilities, such as:
$ getcap /bin/ping /usr/sbin/arping
/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/arping = cap_net_raw+p
You can also use -r
parameters to recursive query:
$ getcap -r /usr 2>/dev/null
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/bin/newgidmap = cap_setgid+ep
/usr/bin/newuidmap = cap_setuid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
If you want to see the capabilities of a process it can be used directly getpcaps
, back to keep the process PID:
$ getpcaps 1234
If you want to see a set of interrelated capabilities threads (such as nginx), so you can view:
$ getpcaps $(pgrep nginx)
Here you will see only the main thread only capabilities, the child thread and other workers do not have capabilities, this is because only the master was required special privileges, such as listening to the network ports, other threads need only respond to requests just fine.
Capabilities settings file can use setcap
the following syntax:
$ setcap CAP+set filename
For example, CAP_CHOWN
and CAP_DAC_OVERRIDE
capabilities to add permitted
and effective
set:
$ setcap CAP_CHOWN,CAP_DAC_OVERRIDE+ep file1
If you want to remove a file capabilities, you can use -r
parameters:
$ setcap -r filename
2. Libcap-a
Installation is also very simple to CentOS as an example:
$ yum install libcap-ng-utils
usage
libcap-ng using the filecap
command capabilities to manage files. There are a few caveats:
-
When filecap add or delete view capabilities, capabilities names do not need to bring
CAP_
a prefix (for example, usingNET_ADMIN
substituteCAP_NET_ADMIN
); -
filecap does not support relative paths, only support absolute paths;
-
filecap not allowed to specify the role of collection capabilities, capabilities will be added to
permitted
andeffective
collection.
View file capabilities:
$ filecap /full/path/to/file
View capabilities recursively all files in a directory:
$ filecap /full/path/to/dir
E.g:
$ filecap /usr/bin
file capabilities
/usr/bin/newgidmap setgid
/usr/bin/newuidmap setuid
Note: filecap only show "capabilities are added to
permitted
andeffective
set" document. So there is no display ping and arping.
View all recursive capabilities of the entire file system:
$ filecap /
# or
$ filecap -a
capabilities settings file syntax is as follows:
$ filecap /full/path/to/file cap_name
E.g:
$ filecap /usr/bin/tac dac_override
Remove the capabilities of a file:
$ filecap /full/path/to/file none
3. Summary
This article demonstrates how to manage executable file capabilities, and to docker, for example, demonstrated two tools no_new_privs
power of the. If conditions permit, we recommend later try to use the capabilities to replace the complete set SUID root privileges or identity.
http://market.szonline.net/amaz/23467.html
http://market.szonline.net/amaz/23466.html
http://market.szonline.net/amaz/23465.html
http://market.szonline.net/amaz/23464.html
http://market.szonline.net/amaz/23463.html
http://market.szonline.net/amaz/23462.html
http://market.szonline.net/amaz/23461.html
http://market.szonline.net/amaz/23460.html
http://market.szonline.net/amaz/23459.html
http://market.szonline.net/amaz/23458.html
http://market.szonline.net/amaz/23457.html
http://market.szonline.net/amaz/23456.html
http://market.szonline.net/amaz/23455.html
http://market.szonline.net/amaz/23454.html
http://market.szonline.net/amaz/23453.html
http://market.szonline.net/amaz/23452.html
http://market.szonline.net/amaz/23451.html
http://market.szonline.net/amaz/23450.html
http://market.szonline.net/amaz/23449.html
http://market.szonline.net/amaz/23448.html
http://market.szonline.net/amaz/23447.html
http://market.szonline.net/amaz/23446.html
http://market.szonline.net/amaz/23445.html
http://market.szonline.net/amaz/23444.html