Linux capabilities with getcap|setcap and file capabilities

Linux capability

For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process’s credentials (usually: effective UID, effective GID, and supplementary group list).

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

Topic

  • Linux capabilities
  • How to grant a special capability to a program or binary?
  • How to run a binary by non-root account with a special capability?
  • How to bypass root privilege using Linux capability?
  • getcap, setcap and file capabilities

apt

  • Linux

Solution


Capabilities list

The following list shows the capabilities implemented on Linux, and the operations or behaviors that each capability permits:

  • CAP_AUDIT_CONTROL: Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules.
  • CAP_NET_ADMIN: Perform various network-related operations
  • CAP_SYS_ADMIN: Allows system admin operation
  • CAP_KILL: Can send any signal to any process (such as sig kill)
  • CAP_SYS_CHROOT: Ability to call chroot()

For complete list of capabilities and their description refer to the following upstream article.
http://man7.org/linux/man-pages/man7/capabilities.7.html

Set capability

Using the setcap command you can set capability.

setcap - set file capabilities
setcap [-q] [-v] (capabilities|-|-r) filename [ ... capabilities file N ]

In the absence of the -v (verify) option setcap sets the capabilities of each specified filename to the capabilities specified. The -v option is used to verify that the specified capabilities are currently associated with the file.

  • Set cap_net_raw (which allows ping to create raw sockets) and cap_net_admin capability to ping command.
# setcap cap_net_admin,cap_net_raw+ep /usr/bin/ping

  • Set cap_net_admin capability to /usr/bin/program2

    # setcap cap_net_admin+ep /usr/bin/program2

  • Set cap_net_raw capability to /usr/bin/mtr-packet.

    # setcap cap_net_raw+ep /usr/bin/mtr-packet

In the above command meaning of:
e: Effective: This means the capability is activated.
p: Permitted: This means the capability can be permitted.
i: Inherited: The capability is kept by child/sub-processes upon execve().

For more information refer to:

man cap_from_text

Get capability

Execute getcap command to see the capabilities set to a binary.

$ getcap /usr/bin/ping
/usr/bin/ping = cap_net_admin,cap_net_raw+p

Remove capability

Execute the following command to remove all capabilities from a binary.

# setcap -r <binary>

Eg: The following command removes all capability from ping command with '-r' switch. 
# setcap -r /usr/bin/ping

Reference
http://man7.org/linux/man-pages/man7/capabilities.7.html

You May Also Like

avatar

About the Author: TekFik

TekFik is a technical blogging site helps techies and engineers to solve their day to day issues and also allows everyone to share knowledge and feedback. Please feel free to contact us at tekfik.rd@gmail.com if there is anything.

Leave a Reply

Your email address will not be published. Required fields are marked *