mirror of https://github.com/mkerrisk/man-pages
capabilities.7: ffix
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
7c4dfcac5a
commit
ade303d700
|
@ -60,7 +60,7 @@ Privileged processes bypass all kernel permission checks,
|
||||||
while unprivileged processes are subject to full permission
|
while unprivileged processes are subject to full permission
|
||||||
checking based on the process's credentials
|
checking based on the process's credentials
|
||||||
(usually: effective UID, effective GID, and supplementary group list).
|
(usually: effective UID, effective GID, and supplementary group list).
|
||||||
|
.PP
|
||||||
Starting with kernel 2.2, Linux divides the privileges traditionally
|
Starting with kernel 2.2, Linux divides the privileges traditionally
|
||||||
associated with superuser into distinct units, known as
|
associated with superuser into distinct units, known as
|
||||||
.IR capabilities ,
|
.IR capabilities ,
|
||||||
|
@ -284,7 +284,7 @@ is not available when the kernel is configured to support
|
||||||
file capabilities, since
|
file capabilities, since
|
||||||
.B CAP_SETPCAP
|
.B CAP_SETPCAP
|
||||||
has entirely different semantics for such kernels.)
|
has entirely different semantics for such kernels.)
|
||||||
|
.IP
|
||||||
If file capabilities are supported:
|
If file capabilities are supported:
|
||||||
add any capability from the calling thread's bounding set
|
add any capability from the calling thread's bounding set
|
||||||
to its inheritable set;
|
to its inheritable set;
|
||||||
|
@ -318,7 +318,7 @@ write a user ID mapping in a user namespace (see
|
||||||
this capability is overloaded; see
|
this capability is overloaded; see
|
||||||
.IR "Notes to kernel developers" ,
|
.IR "Notes to kernel developers" ,
|
||||||
below.
|
below.
|
||||||
|
.IP
|
||||||
.PD 0
|
.PD 0
|
||||||
.RS
|
.RS
|
||||||
.IP * 2
|
.IP * 2
|
||||||
|
@ -816,7 +816,7 @@ It is also a limiting superset for the capabilities that
|
||||||
may be added to the inheritable set by a thread that does not have the
|
may be added to the inheritable set by a thread that does not have the
|
||||||
.B CAP_SETPCAP
|
.B CAP_SETPCAP
|
||||||
capability in its effective set.
|
capability in its effective set.
|
||||||
|
.IP
|
||||||
If a thread drops a capability from its permitted set,
|
If a thread drops a capability from its permitted set,
|
||||||
it can never reacquire that capability (unless it
|
it can never reacquire that capability (unless it
|
||||||
.BR execve (2)s
|
.BR execve (2)s
|
||||||
|
@ -847,12 +847,12 @@ This is a set of capabilities that are preserved across an
|
||||||
of a program that is not privileged.
|
of a program that is not privileged.
|
||||||
The ambient capability set obeys the invariant that no capability
|
The ambient capability set obeys the invariant that no capability
|
||||||
can ever be ambient if it is not both permitted and inheritable.
|
can ever be ambient if it is not both permitted and inheritable.
|
||||||
|
.IP
|
||||||
The ambient capability set can be directly modified using
|
The ambient capability set can be directly modified using
|
||||||
.BR prctl (2).
|
.BR prctl (2).
|
||||||
Ambient capabilities are automatically lowered if either of
|
Ambient capabilities are automatically lowered if either of
|
||||||
the corresponding permitted or inheritable capabilities is lowered.
|
the corresponding permitted or inheritable capabilities is lowered.
|
||||||
|
.IP
|
||||||
Executing a program that changes UID or GID due to the
|
Executing a program that changes UID or GID due to the
|
||||||
set-user-ID or set-group-ID bits or executing a program that has
|
set-user-ID or set-group-ID bits or executing a program that has
|
||||||
any file capabilities set will clear the ambient set.
|
any file capabilities set will clear the ambient set.
|
||||||
|
@ -894,7 +894,7 @@ The file capability sets,
|
||||||
in conjunction with the capability sets of the thread,
|
in conjunction with the capability sets of the thread,
|
||||||
determine the capabilities of a thread after an
|
determine the capabilities of a thread after an
|
||||||
.BR execve (2).
|
.BR execve (2).
|
||||||
|
.PP
|
||||||
The three file capability sets are:
|
The three file capability sets are:
|
||||||
.TP
|
.TP
|
||||||
.IR Permitted " (formerly known as " forced ):
|
.IR Permitted " (formerly known as " forced ):
|
||||||
|
@ -916,7 +916,7 @@ also raised in the effective set.
|
||||||
If this bit is not set, then after an
|
If this bit is not set, then after an
|
||||||
.BR execve (2),
|
.BR execve (2),
|
||||||
none of the new permitted capabilities is in the new effective set.
|
none of the new permitted capabilities is in the new effective set.
|
||||||
|
.IP
|
||||||
Enabling the file effective capability bit implies
|
Enabling the file effective capability bit implies
|
||||||
that any file permitted or inheritable capability that causes a
|
that any file permitted or inheritable capability that causes a
|
||||||
thread to acquire the corresponding permitted capability during an
|
thread to acquire the corresponding permitted capability during an
|
||||||
|
@ -938,9 +938,9 @@ During an
|
||||||
.BR execve (2),
|
.BR execve (2),
|
||||||
the kernel calculates the new capabilities of
|
the kernel calculates the new capabilities of
|
||||||
the process using the following algorithm:
|
the process using the following algorithm:
|
||||||
|
.PP
|
||||||
.in +4n
|
.in +4n
|
||||||
.nf
|
.nf
|
||||||
|
|
||||||
P'(ambient) = (file is privileged) ? 0 : P(ambient)
|
P'(ambient) = (file is privileged) ? 0 : P(ambient)
|
||||||
|
|
||||||
P'(permitted) = (P(inheritable) & F(inheritable)) |
|
P'(permitted) = (P(inheritable) & F(inheritable)) |
|
||||||
|
@ -949,9 +949,9 @@ P'(permitted) = (P(inheritable) & F(inheritable)) |
|
||||||
P'(effective) = F(effective) ? P'(permitted) : P'(ambient)
|
P'(effective) = F(effective) ? P'(permitted) : P'(ambient)
|
||||||
|
|
||||||
P'(inheritable) = P(inheritable) [i.e., unchanged]
|
P'(inheritable) = P(inheritable) [i.e., unchanged]
|
||||||
|
|
||||||
.fi
|
.fi
|
||||||
.in
|
.in
|
||||||
|
.PP
|
||||||
where:
|
where:
|
||||||
.RS 4
|
.RS 4
|
||||||
.IP P 10
|
.IP P 10
|
||||||
|
@ -968,14 +968,14 @@ is the value of the capability bounding set (described below).
|
||||||
.PP
|
.PP
|
||||||
A privileged file is one that has capabilities or
|
A privileged file is one that has capabilities or
|
||||||
has the set-user-ID or set-group-ID bit set.
|
has the set-user-ID or set-group-ID bit set.
|
||||||
|
.PP
|
||||||
.IR Note :
|
.IR Note :
|
||||||
the capability transitions described above may
|
the capability transitions described above may
|
||||||
.I not
|
.I not
|
||||||
be performed (i.e., file capabilities may be ignored) for the same reasons
|
be performed (i.e., file capabilities may be ignored) for the same reasons
|
||||||
that the set-user-ID and set-group-ID bits are ignored; see
|
that the set-user-ID and set-group-ID bits are ignored; see
|
||||||
.BR execve (2).
|
.BR execve (2).
|
||||||
|
.PP
|
||||||
.IR Note :
|
.IR Note :
|
||||||
according to the rules above,
|
according to the rules above,
|
||||||
if a process with nonzero user IDs performs an
|
if a process with nonzero user IDs performs an
|
||||||
|
@ -1002,7 +1002,7 @@ so that the file permitted capabilities are automatically
|
||||||
enabled in the process effective set when executing the file.
|
enabled in the process effective set when executing the file.
|
||||||
The kernel recognizes a file which has the effective capability bit set
|
The kernel recognizes a file which has the effective capability bit set
|
||||||
as capability-dumb for the purpose of the check described here.
|
as capability-dumb for the purpose of the check described here.
|
||||||
|
.PP
|
||||||
When executing a capability-dumb binary,
|
When executing a capability-dumb binary,
|
||||||
the kernel checks if the process obtained all permitted capabilities
|
the kernel checks if the process obtained all permitted capabilities
|
||||||
that were specified in the file permitted set,
|
that were specified in the file permitted set,
|
||||||
|
@ -1119,14 +1119,14 @@ The bounding set is accessible via the file
|
||||||
(Confusingly, this bit mask parameter is expressed as a
|
(Confusingly, this bit mask parameter is expressed as a
|
||||||
signed decimal number in
|
signed decimal number in
|
||||||
.IR /proc/sys/kernel/cap-bound .)
|
.IR /proc/sys/kernel/cap-bound .)
|
||||||
|
.PP
|
||||||
Only the
|
Only the
|
||||||
.B init
|
.B init
|
||||||
process may set capabilities in the capability bounding set;
|
process may set capabilities in the capability bounding set;
|
||||||
other than that, the superuser (more precisely: programs with the
|
other than that, the superuser (more precisely: programs with the
|
||||||
.B CAP_SYS_MODULE
|
.B CAP_SYS_MODULE
|
||||||
capability) may only clear capabilities from this set.
|
capability) may only clear capabilities from this set.
|
||||||
|
.PP
|
||||||
On a standard system the capability bounding set always masks out the
|
On a standard system the capability bounding set always masks out the
|
||||||
.B CAP_SETPCAP
|
.B CAP_SETPCAP
|
||||||
capability.
|
capability.
|
||||||
|
@ -1135,7 +1135,7 @@ To remove this restriction (dangerous!), modify the definition of
|
||||||
in
|
in
|
||||||
.I include/linux/capability.h
|
.I include/linux/capability.h
|
||||||
and rebuild the kernel.
|
and rebuild the kernel.
|
||||||
|
.PP
|
||||||
The system-wide capability bounding set feature was added
|
The system-wide capability bounding set feature was added
|
||||||
to Linux starting with kernel version 2.2.11.
|
to Linux starting with kernel version 2.2.11.
|
||||||
.\"
|
.\"
|
||||||
|
@ -1146,12 +1146,12 @@ From Linux 2.6.25, the
|
||||||
.I "capability bounding set"
|
.I "capability bounding set"
|
||||||
is a per-thread attribute.
|
is a per-thread attribute.
|
||||||
(There is no longer a system-wide capability bounding set.)
|
(There is no longer a system-wide capability bounding set.)
|
||||||
|
.PP
|
||||||
The bounding set is inherited at
|
The bounding set is inherited at
|
||||||
.BR fork (2)
|
.BR fork (2)
|
||||||
from the thread's parent, and is preserved across an
|
from the thread's parent, and is preserved across an
|
||||||
.BR execve (2).
|
.BR execve (2).
|
||||||
|
.PP
|
||||||
A thread may remove capabilities from its capability bounding set using the
|
A thread may remove capabilities from its capability bounding set using the
|
||||||
.BR prctl (2)
|
.BR prctl (2)
|
||||||
.B PR_CAPBSET_DROP
|
.B PR_CAPBSET_DROP
|
||||||
|
@ -1164,7 +1164,7 @@ A thread can determine if a capability is in its bounding set using the
|
||||||
.BR prctl (2)
|
.BR prctl (2)
|
||||||
.B PR_CAPBSET_READ
|
.B PR_CAPBSET_READ
|
||||||
operation.
|
operation.
|
||||||
|
.PP
|
||||||
Removing capabilities from the bounding set is supported only if file
|
Removing capabilities from the bounding set is supported only if file
|
||||||
capabilities are compiled into the kernel.
|
capabilities are compiled into the kernel.
|
||||||
In kernels before Linux 2.6.33,
|
In kernels before Linux 2.6.33,
|
||||||
|
@ -1184,7 +1184,7 @@ begins with a full bounding set minus
|
||||||
.BR CAP_SETPCAP ,
|
.BR CAP_SETPCAP ,
|
||||||
because this capability has a different meaning when there are
|
because this capability has a different meaning when there are
|
||||||
no file capabilities.
|
no file capabilities.
|
||||||
|
.PP
|
||||||
Removing a capability from the bounding set does not remove it
|
Removing a capability from the bounding set does not remove it
|
||||||
from the thread's inherited set.
|
from the thread's inherited set.
|
||||||
However it does prevent the capability from being added
|
However it does prevent the capability from being added
|
||||||
|
@ -1338,7 +1338,7 @@ operations.
|
||||||
The
|
The
|
||||||
.B CAP_SETPCAP
|
.B CAP_SETPCAP
|
||||||
capability is required to modify the flags.
|
capability is required to modify the flags.
|
||||||
|
.PP
|
||||||
The
|
The
|
||||||
.I securebits
|
.I securebits
|
||||||
flags are inherited by child processes.
|
flags are inherited by child processes.
|
||||||
|
@ -1347,14 +1347,14 @@ During an
|
||||||
all of the flags are preserved, except
|
all of the flags are preserved, except
|
||||||
.B SECBIT_KEEP_CAPS
|
.B SECBIT_KEEP_CAPS
|
||||||
which is always cleared.
|
which is always cleared.
|
||||||
|
.PP
|
||||||
An application can use the following call to lock itself,
|
An application can use the following call to lock itself,
|
||||||
and all of its descendants,
|
and all of its descendants,
|
||||||
into an environment where the only way of gaining capabilities
|
into an environment where the only way of gaining capabilities
|
||||||
is by executing a program with associated file capabilities:
|
is by executing a program with associated file capabilities:
|
||||||
|
.PP
|
||||||
.in +4n
|
.in +4n
|
||||||
.nf
|
.nf
|
||||||
|
|
||||||
prctl(PR_SET_SECUREBITS,
|
prctl(PR_SET_SECUREBITS,
|
||||||
/* SECBIT_KEEP_CAPS off */
|
/* SECBIT_KEEP_CAPS off */
|
||||||
SECBIT_KEEP_CAPS_LOCKED |
|
SECBIT_KEEP_CAPS_LOCKED |
|
||||||
|
@ -1383,7 +1383,7 @@ capabilities were an optional kernel component,
|
||||||
and could be enabled/disabled via the
|
and could be enabled/disabled via the
|
||||||
.B CONFIG_SECURITY_CAPABILITIES
|
.B CONFIG_SECURITY_CAPABILITIES
|
||||||
kernel configuration option.
|
kernel configuration option.
|
||||||
|
.PP
|
||||||
The
|
The
|
||||||
.I /proc/[pid]/task/TID/status
|
.I /proc/[pid]/task/TID/status
|
||||||
file can be used to view the capability sets of a thread.
|
file can be used to view the capability sets of a thread.
|
||||||
|
@ -1397,7 +1397,7 @@ Since Linux 3.8,
|
||||||
all nonexistent capabilities (above
|
all nonexistent capabilities (above
|
||||||
.BR CAP_LAST_CAP )
|
.BR CAP_LAST_CAP )
|
||||||
are shown as disabled (0).
|
are shown as disabled (0).
|
||||||
|
.PP
|
||||||
The
|
The
|
||||||
.I libcap
|
.I libcap
|
||||||
package provides a suite of routines for setting and
|
package provides a suite of routines for setting and
|
||||||
|
@ -1415,7 +1415,7 @@ It can be found at
|
||||||
.br
|
.br
|
||||||
.UR http://www.kernel.org\:/pub\:/linux\:/libs\:/security\:/linux\-privs
|
.UR http://www.kernel.org\:/pub\:/linux\:/libs\:/security\:/linux\-privs
|
||||||
.UE .
|
.UE .
|
||||||
|
.PP
|
||||||
Before kernel 2.6.24, and from kernel 2.6.24 to kernel 2.6.32 if
|
Before kernel 2.6.24, and from kernel 2.6.24 to kernel 2.6.32 if
|
||||||
file capabilities are not enabled, a thread with the
|
file capabilities are not enabled, a thread with the
|
||||||
.B CAP_SETPCAP
|
.B CAP_SETPCAP
|
||||||
|
|
Loading…
Reference in New Issue