0% found this document useful (0 votes)
113 views18 pages

Linux Capability 2

This document discusses Linux capabilities and provides examples of several key capabilities: CAP_DAC_READ_SEARCH allows overriding access restrictions on files and directories. CAP_DAC_OVERRIDE overrides all discretionary access controls. CAP_FOWNER overrides restrictions on file operations based on file ownership. The document gives examples of using capabilities to allow non-root users to perform actions like changing file permissions and killing processes. It recommends using capabilities in programs to demonstrate how they can help prevent exploits by dropping privileges.

Uploaded by

ami_haroon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
113 views18 pages

Linux Capability 2

This document discusses Linux capabilities and provides examples of several key capabilities: CAP_DAC_READ_SEARCH allows overriding access restrictions on files and directories. CAP_DAC_OVERRIDE overrides all discretionary access controls. CAP_FOWNER overrides restrictions on file operations based on file ownership. The document gives examples of using capabilities to allow non-root users to perform actions like changing file permissions and killing processes. It recommends using capabilities in programs to demonstrate how they can help prevent exploits by dropping privileges.

Uploaded by

ami_haroon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 18

Linux Capability

Zutao Zhu
10/23/2009
Outline
• Question 2
• Question 5
• Question 6
Question2: Capabilities
• cap dac read search
• cap dac override
• cap fowner
• cap chown
• cap fsetid
• cap sys module
• cap kill
• cap net admin
• cap net raw
• cap sys nice
• cap sys time
CAP_DAC_READ_SEARCH
• Usage: /* Overrides all DAC restrictions
regarding read and search on files and
directories, including ACL restrictions
if [_POSIX_ACL] is defined. Excluding
DAC access covered by
CAP_LINUX_IMMUTABLE. */
• How: try to open a file owned by root,
using a normal user
CAP_DAC_OVERRIDE
• Usage: /* Override all DAC access,
including ACL execute access if
[_POSIX_ACL] is defined. Excluding
DAC access covered by
CAP_LINUX_IMMUTABLE. */
• How: try to write to a file owned by root,
using a normal user
CAP_FOWNER
• Usage: /* Overrides all restrictions
about allowed operations on files,
where file owner ID must be equal to
the user ID, except where CAP_FSETID
is applicable. It doesn't override MAC
and DAC restrictions. */
• How: try to change the mode of a file
owned by root
CAP_CHOWN
• Usage: /* In a system with the
[_POSIX_CHOWN_RESTRICTED]
option defined, this overrides the
restriction of changing file ownership
and group ownership. */
• How: chown command!
CAP_FSETID
• Usage: /* Overrides the following restrictions
that the effective user ID shall match the file
owner ID when setting the S_ISUID and
S_ISGID bits on that file; that the effective
group ID (or one of the supplementary group
IDs) shall match the file owner ID when
setting the S_ISGID bit on that file; that the
S_ISUID and S_ISGID bits are cleared on
successful return from chown(2) (not
implemented). */
• How: man –S 2 chmod, use chmod()
CAP_SYS_MODULE
• Usage: /* Insert and remove kernel
modules - modify kernel without limit */
• How: apply to insmod or rmmod. First
locate the module location, usually it is in
//usr/local/lib (.so) file, /sbin/insmod
libmp3lame.so
CAP_KILL
• Usage: /* Overrides the restriction that
the real or effective user ID of a
process sending a signal must match
the real or effective user ID of the
process receiving the signal. */
• How: apply to “kill” command!
CAP_NET_ADMIN
• Usage: /* Allow interface configuration */ /* Allow
administration of IP firewall, masquerading and
accounting */ /* Allow setting debug option on
sockets */ /* Allow modification of routing tables */ /*
Allow setting arbitrary process / process group
ownership on sockets */ /* Allow binding to any
address for transparent proxying */ /* Allow setting
TOS (type of service) */ /* Allow setting promiscuous
mode */ /* Allow clearing driver statistics */ /* Allow
multicasting */ /* Allow read/write of device-specific
registers */ /* Allow activation of ATM control sockets
*/
• How: apply to ifconfig command! Ifconfig eth0 ip
CAP_NET_RAW
• Usage: /* Allow use of RAW sockets */ /*
Allow use of PACKET sockets */
• How: ping!
CAP_SYS_NICE
• Usage: /* Allow raising priority and
setting priority on other (different UID)
processes */ /* Allow use of FIFO and
round-robin (realtime) scheduling on
own processes and setting the
scheduling algorithm used by another
process. */ /* Allow setting cpu affinity
on other processes */
• How: apply to nice(). man –S 2 nice
CAP_SYS_TIME
• Usage: /* Allow manipulation of system
clock */ /* Allow irix_stime on mips */ /*
Allow setting the real-time clock */
• How: apply to “date” command to change
the system clock
Question 5
• Use the vulnerable program in buffer-
overflow lab
• You can use focus on
CAP_DAC_READ_SEARCH
• Use cap_disable and cap_drop like
use_cap.c to demo that capability really
helps!
Question 6
• Use the vulnerable program in race
condition lab
• You can use focus on
CAP_DAC_READ_SEARCH
• Use cap_disable and cap_drop like
use_cap.c to demo that capability really
helps!
Reference
• include/linux/capability.h
• Manual pages
Questions?

You might also like