🛠️Capabilities
Theory
Linux capabilities are a way to improve permission granularity in unix-like systems. It allows to follow the least-privilege principle by defining fine-grained permissions that can be attributed to threads and files. It works by splitting kernel calls in groups of similar functionalities.
Basic processes : Have no capabilities (file access is controlled by traditional file privileges).
(Binary) files : Can have capabilities (filesystem-dependent).
Capabilities are in separated in 5 sets :
Set | Description |
Effective set | the set that will be used when doing permission check. |
Permitted set | can be moved to effective set by calling |
Inheritable set | can be inherited from parent processes, can be moved to effective set by calling |
Bounding set | list of all the capabilities a process can ever receive (in its inheritable/permitted sets) |
Ambiant set | passed to non-suid files without defined capabilities |
Capability inheritance, capability drop
On
fork()
call, the child thread will have the same capabilities as the parent thread.capset()
syscall allows todrop any capability from any set
move capabilities from permitted/inherited sets to effective set
If a thread calls
execve()
on a binary file, its capabilities will be modified following the pattern described in the man pages (seeman capabilities
).
Non-exhaustive capability list :
Capability | Description |
| Toggle kernel auditing |
| Write to kernel audit log |
| Change file owners |
| Change UID/GID |
| Open raw and packet sockets |
| Bind a socket to Internet domain privileged ports |
Practice
Setting a file's capabilities :
To change capabilities on a file, you need to type these commands as root
:
Exploiting capabilities :
Empty capabilities
If a file has capabilities
/path/to/file =ep
it means it hasall
capabilities and will run asroot
.
To create a file with empty (=all) capabilities justsudo setcap \=ep /path/to/file
Other classic examples :
If the
python
binary has thecap_setuid
then it becomes trivial to get a root shell :
Arbitrary file read :
zip
withcap_dac_read_search
End notes :
When copied from one place to another, a binary will lose its capabilities. In order to keep capabilities, you can copy the file with --preserve=all
option :
Resources
Last updated