Linux Capabilities Revisited

Summary

Introduction Notes to kernel developers: The goal of capabilities is divide the power of superuser into pieces, such that if a program that has one or more capabilities is compromised, its power to do damage to the system would be less than the same program running with root privilege. Capabilities(7) — Linux manual page Capabilities are a fine-grained access control mechanism in Linux, allowing more granular permissions than the traditional superuser (root) model. Capabilities divide the privileges typically associated with the root user into distinct units that can be independently enabled or disabled for different processes. This allows for more secure and controlled privilege management. For example, a process may need permission to bind to privileged ports but not require any other elevated permissions. Understanding Capabilities To see how many capabilities our Linux host is aware of, we can query the file cap_last_cap inside the /proc directory: # cat /proc/sys/kernel/cap_last_cap 40 The capsh --print command displays the current capabilities and related settings of the shell or the process invoking the command. When executing this command on our Linux host, we see the full list of capabilities. # capsh --print Current: =ep Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore Each capability corresponds to a specific privileged action. Backdooring Python The command setcap sets file capabilities on an executable. The cap_se...