Shulou(Shulou.com)05/31 Report--

This article mainly introduces "how to view and set file linux capabilities". In daily operation, I believe many people have doubts about how to view and set file linux capabilities. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts of "how to view and set file linux capabilities". Next, please follow the editor to study!

Two main tools are provided in the Linux system to manage capabilities:libcap and libcap-ng. Libcap provides two commands, getcap and setcap, to view and set the capabilities of the file, and capsh to view the capabilities of the current shell process. Libcap-ng is easier to use, using the same command filecap to view and set capabilities.

1 libcap

Installation is simple. Take CentOS as an example, you can install it with the following command:

$yum install-y libcap

If you want to see the capabilities of the current shell process, you can use the capsh command. The following is the output of the root user performing capsh on the CentOS system:

$capsh-- printCurrent: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin Cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+epBounding set = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap Cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control Cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_readSecurebits: 00/0x0/1'b0 secure-noroot: no (unlocked) secure-no-suid-fixup: no (unlocked) secure-keep-caps: no (unlocked) uid=0 (root) gid=0 (root) groups=0 (root)

Explain:

Current: represents the Effective capabilities and Permitted capabilities of the current shell process. Can contain multiple groups, each of which is represented by capability [, capability...] + (e | I | p), where e means effective,i, inheritable,p means permitted. Different groups are separated by spaces, for example: Current: = cap_sys_chroot+ep cap_net_bind_service+eip. To give another example, cap_net_bind_service+e cap_net_bind_service+ip is equivalent to cap_net_bind_service+eip.

Bounding set: this only represents the capabilities in the Bounding collection, not the other collections, so there is no need to add +... at the end of the grouping.

Securebits: I don't know what the heck this is.

The output of this command is limited, and the complete information can be viewed in the / proc file system, such as / proc/$$/status in the current shell process. One of the important states is NoNewPrivs, which can be viewed with the following command:

Grep NoNewPrivs / proc/$$/statusNoNewPrivs: 0

As described in prctl (2), since Linux 4.10, the NoNewPrivs value in / proc/ [pid] / status represents the no_new_privs attribute of the thread. As for what no_new_privs does, let me explain it separately.

No_new_privs

In general, the execve () system call can give the newly started process permissions that its parent does not have. The most common example is to set the uid and gid of the program process and access to files through setuid and setgid. This gives malicious people a lot of loopholes, you can directly through the fork to enhance the permissions of the process, so as to achieve ulterior purposes.

To solve this problem, the Linux kernel introduced the no_new_privs attribute (actually a bit that can be turned on and off) since version 3.5, providing the process with a method that is persistent and secure throughout the execve () call.

When no_new_privs is turned on, the execve function ensures that all operations must be judged and granted permissions by calling execve () before they can be performed. This ensures that neither the thread nor the child thread can get additional permissions because the setuid and setgid cannot be executed and the permissions for the file cannot be set.

Once the no_new_privs of the current thread is set, no child thread generated through fork,clone or execve can clear the bit.

In Docker, you can turn on the no_new_privs property with the parameter-- security-opt, for example: docker run-- security-opt=no_new_privs busybox. Let's use an example to understand the role of the no_new_privs attribute.

First, pull a piece of C code to show the valid user id of the current process:

$cat testnnp.c#include # include # include int main (int argc, char * argv []) {printf ("Effective uid:% d\ n", geteuid ()); return 0;} $make testnnpcc testnnp.c-o testnnp

Insert the executable file into the docker image:

FROM fedora:latestADD testnnp / root/testnnpRUN chmod + s / root/testnnpENTRYPOINT / root/testnnp

Build an image:

$docker build-t testnnp .Step 1: FROM fedora:latest-> 760a896a323fStep 2: ADD testnnp / root/testnnp-> 6c700f277948Removing intermediate container 0981144fe404Step 3: RUN chmod + s / root/testnnp-> Running in c1215bfbe825-> f1f07d05a691Removing intermediate container c1215bfbe825Step 4: ENTRYPOINT / root/testnnp-- > Running in 5a4d324d54fa-> 44f767c67e30Removing intermediate container 5a4d324d54faSuccessfully built 44f767c67e30

Here are two experiments to start the container without enabling no-new-privileges:

$docker run-it-rm-user=1000 testnnpEffective uid: 0

Judging from the output, as long as the executable file is set with the SUID identity, even if we use a normal user (UID=1000) to run the container, the valid user of the process will become root.

Then start the container with no-new-privileges open to prevent the executable file with SUID identity set from performing UID conversion:

$docker run-it-rm-user=1000-security-opt=no-new-privileges testnnpEffective uid: 1000

You can see that when the no_new_privs attribute is turned on, the valid user ID of the thread does not become root even if the executable file has the SUID identity set. In this way, even if the code in the mirror has a security risk, you can still avoid being attacked by preventing it from escalating permissions.

Kubernetes can also turn on no_new_privs, but the logic is a little more complicated. When the value of the allowPrivilegeEscalation field under the SecurityContext definition of Pod is false (default is false), if any of the following conditions are not met, the no_new_privs property will be enabled:

Privileged=true is set up

Added CAP_SYS_ADMIN capabilities, or capAdd=CAP_SYS_ADMIN

Run as root user, that is, UID=0

For example, when privileged=true and allowPrivilegeEscalation=false are set, the no_new_privs property is not turned on. Similarly, setting capAdd=CAP_SYS_ADMIN and allowPrivilegeEscalation=false will not enable the no_new_privs property.

Manage capabilities

You can view the capabilities of a file through getcap, for example:

$getcap / bin/ping / usr/sbin/arping/bin/ping = cap_net_admin,cap_net_raw+p/usr/sbin/arping = cap_net_raw+p

You can also use the-r parameter to recursively query:

$getcap-r / usr 2 > / dev/null/usr/bin/ping = cap_net_admin,cap_net_raw+p/usr/bin/newgidmap = cap_setgid+ep/usr/bin/newuidmap = cap_setuid+ep/usr/sbin/arping = cap_net_raw+p/usr/sbin/clockdiff = cap_net_raw+p

If you want to view the capabilities of a process, you can use getpcaps directly, followed by the PID of the process:

$getpcaps 1234

If you want to see the capabilities of a set of interrelated threads (such as nginx), look at it this way:

$getpcaps $(pgrep nginx)

Here you can see that only the main thread has capabilities, and child threads and other workers do not have capabilities. This is because only master needs special permissions, such as listening to network ports, and other threads just need to respond to requests.

The capabilities of the settings file can use setcap. The syntax is as follows:

$setcap CAP+set filename

For example, add CAP_CHOWN and CAP_DAC_OVERRIDE capabilities to the permitted and effective collections:

$setcap CAP_CHOWN,CAP_DAC_OVERRIDE+ep file1

If you want to remove the capabilities from a file, you can use the-r parameter:

$setcap-r filename

2 libcap-ng

Installation is also easy. Take CentOS as an example:

$yum install libcap-ng-utils usage

Libcap-ng uses the filecap command to manage the capabilities of the file. There are several points to pay attention to:

When filecap adds, deletes or views capabilities, the name of capabilities does not need to be prefixed with CAP_ (for example, use NET_ADMIN instead of CAP_NET_ADMIN)

Filecap does not support relative paths, only absolute paths

Filecap does not allow you to specify collections where capabilities acts, and capabilities is only added to the permitted and effective collections.

View the capabilities of the file:

$filecap / full/path/to/file

Recursively view the capabilities of all files in a directory:

$filecap / full/path/to/dir

For example:

$filecap / usr/binfile capabilities/usr/bin/newgidmap setgid/usr/bin/newuidmap setuid

> Note: filecap will only display files where "capabilities has been added to the permitted and effective collections". So ping and arping are not displayed here.

Recursively view the capabilities of all files for the entire system:

$filecap / # or$ filecap-a

The capabilities syntax for the settings file is as follows:

$filecap / full/path/to/file cap_name

For example:

$filecap / usr/bin/tac dac_override

Remove the capabilities of a file:

Filecap / full/path/to/file none at this point, the study on "how to view and set file linux capabilities" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.