Capabilities introductory tutorial: basic combat chapter

This total is divided into three series:

Linux Capabilities Getting Started Tutorial: concept papers
Linux Capabilities introductory tutorial: basic combat chapter
to be continued...

The article describes the background of the birth of Linux capabilities and basic principles, this article will show you how to view and setting file capabilities through specific examples.

Linux system provides two major tools to manage capabilities: libcap and libcap-ng. libcap Provided getcap and setcap two commands are viewing capabilities and settings files, while also providing a capsh view of the current shell process capabilities. libcap-ng Easier to use, use the same command filecap to view and setting capabilities.

1. libcap

Installation is very simple to CentOS, for example, can be installed by the following command:

$ yum install -y libcap

If you want to see the capabilities of the current shell process, you can use capsh the command. The following is the root user CentOS system performs capsh output:

$ capsh --print

Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root)

explain:

Current : Indicates the current Effective capabilities and Permitted capabilities shell process. May contain a plurality of packets, each packet representation is capability[,capability…]+(e|i|p)wherein e represents Effective, i represents the Inheritable, p expressed permitted. Between different groups separated by a space, for example: Current: = cap_sys_chroot+ep cap_net_bind_service+eip. As another example, cap_net_bind_service+e cap_net_bind_service+ip and cap_net_bind_service+eip equivalents.
The SET Bounding : Here are just a representation Bounding collection capabilities, not including other collections, so do not add end of the packet +... .
Securebits : I did not figure out what the hell this is.

This information is more limited command output and complete information can view the / proc file system, such as the current shell process you can view /proc/$$/status. One of the important status that NoNewPrivscan be viewed with the following command:

grep NoNewPrivs /proc/$$/status

NoNewPrivs:    0

According to (2) prctl description, since Linux 4.10 start, /proc/[pid]/status the NoNewPrivs value represents a thread no_new_privs attributes. As to no_new_privswhether it is doing, here I am alone explain.

no_new_privs

Under normal circumstances, execve() the system calls the process can be given permission to start a new parent process is not the most common example is by setuid and setgid to set up procedures and processes uid and gid access to files. This gives mischievously drilled a lot of loopholes, the process can be directly elevated privileges by fork, so as to achieve ulterior motives.

To solve this problem, Linux kernel from the 3.5 release, the introduction of the no_new_privs property (actually a bit, you can turn on and off), to provide a way to process the execve() call can be continued throughout the stages of an effective and safe method.

Opened no_new_privs after, execve function ensures that all operations must call the execve() judge and can be performed after given permission. This ensures that the thread and the child thread are unable to obtain additional privileges, because they can not execute setuid and setgid, can not set permissions files.
Once the current thread no_new_privs after being set, whether by fork, clone or execve generated sub-thread can clear this bit.

Docker parameter may --security-opt be turned on no_new_privs attributes such as: docker run --security-opt=no_new_privs busybox. Let's look at an example to understand no_new_privs the role of property.

First line and C code, displays the effective user id of the current process:

$ cat testnnp.c

#include <stdio.h>
#include <unistd.h> #include <sys/types.h> int main(int argc, char *argv[]) { printf("Effective uid: %d\n", geteuid()); return 0; }

$ make testnnp
cc     testnnp.c   -o testnnp

The executable file into the docker mirror:

FROM fedora:latest
ADD testnnp /root/testnnp
RUN chmod +s /root/testnnp ENTRYPOINT /root/testnnp

Construction of the mirror:

$ docker build -t testnnp .
Step 1 : FROM fedora:latest
 ---> 760a896a323f
Step 2 : ADD testnnp /root/testnnp
 ---> 6c700f277948
Removing intermediate container 0981144fe404
Step 3 : RUN chmod +s /root/testnnp
 ---> Running in c1215bfbe825
 ---> f1f07d05a691
Removing intermediate container c1215bfbe825
Step 4 : ENTRYPOINT /root/testnnp
 ---> Running in 5a4d324d54fa
 ---> 44f767c67e30
Removing intermediate container 5a4d324d54fa
Successfully built 44f767c67e30

Here to do two experiments, the first to open in the absence of no-new-privileges starting container in the case of:

$ docker run -it --rm --user=1000  testnnp
Effective uid: 0

From the output perspective, just give executable file the SUID identity, even if we use the average user (UID = 1000) to run an effective user container, the process will become root.

Followed by opening no-new-privileges the starting container premise to prevent executable files on execution SUID identification UID conversion is performed:

$ docker run -it --rm --user=1000 --security-opt=no-new-privileges testnnp
Effective uid: 1000

It can be seen opened no_new_privs after the property, even if the executable file the SUID identity, the thread will not become effective user ID root. Even though the image of the code has a security risk, you can still prevent it elevate the privilege to avoid being attacked.

Kubernetes can also open no_new_privs, but the logic a little more complicated. When the Pod SecurityContext in the definition of allowPrivilegeEscalation the time field is false (default is to false), if any of the following conditions is not satisfied, opens no_new_privs properties:

already setup privileged=true
Increased CAP_SYS_ADMIN capabilities, that is, capAdd=CAP_SYS_ADMIN
As root, i.e. UID = 0

For example, when set up privileged=true and allowPrivilegeEscalation=false when it will not open no_new_privs properties. Similarly, we set up capAdd=CAP_SYS_ADMIN and allowPrivilegeEscalation=false it will not open no_new_privs properties.

Management capabilities

You can getcap view the document capabilities, such as:

$ getcap /bin/ping /usr/sbin/arping

/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/arping = cap_net_raw+p

You can also use -r parameters to recursive query:

$ getcap -r /usr 2>/dev/null

/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/bin/newgidmap = cap_setgid+ep
/usr/bin/newuidmap = cap_setuid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p

If you want to see the capabilities of a process it can be used directly getpcaps, back to keep the process PID:

$ getpcaps 1234

If you want to see a set of interrelated capabilities threads (such as nginx), so you can view:

$ getpcaps $(pgrep nginx)

Here you will see only the main thread only capabilities, the child thread and other workers do not have capabilities, this is because only the master was required special privileges, such as listening to the network ports, other threads need only respond to requests just fine.

Capabilities settings file can use setcapthe following syntax:

$ setcap CAP+set filename

For example, CAP_CHOWN and CAP_DAC_OVERRIDE capabilities to add permitted and effective set:

$ setcap CAP_CHOWN,CAP_DAC_OVERRIDE+ep file1

If you want to remove a file capabilities, you can use -r parameters:

$ setcap -r filename

2. Libcap-a

Installation is also very simple to CentOS as an example:

$ yum install libcap-ng-utils

usage

libcap-ng using the filecap command capabilities to manage files. There are a few caveats:

When filecap add or delete view capabilities, capabilities names do not need to bring CAP_ a prefix (for example, using NET_ADMIN substitute CAP_NET_ADMIN);
filecap does not support relative paths, only support absolute paths;
filecap not allowed to specify the role of collection capabilities, capabilities will be added to permitted and effective collection.

View file capabilities:

$ filecap /full/path/to/file

View capabilities recursively all files in a directory:

$ filecap /full/path/to/dir

E.g:

$ filecap /usr/bin

file                 capabilities
/usr/bin/newgidmap     setgid
/usr/bin/newuidmap     setuid

Note: filecap only show "capabilities are added to permitted and effective set" document. So there is no display ping and arping.

View all recursive capabilities of the entire file system:

$ filecap /
# or
$ filecap -a

capabilities settings file syntax is as follows:

$ filecap /full/path/to/file cap_name

E.g:

$ filecap /usr/bin/tac dac_override

Remove the capabilities of a file:

$ filecap /full/path/to/file none

3. Summary

This article demonstrates how to manage executable file capabilities, and to docker, for example, demonstrated two tools no_new_privs power of the. If conditions permit, we recommend later try to use the capabilities to replace the complete set SUID root privileges or identity.