mirror of https://github.com/mkerrisk/man-pages
capabilities.7: Rework discussion of exec and UID 0, correcting a couple of details
Clarify the "Capabilities and execution of programs by root" section, and correct a couple of details: * If a process with rUID == 0 && eUID != 0 does an exec, the process will nevertheless gain effective capabilities if the file effective bit is set. * Set-UID-root programs only confer a full set of capabilities if the binary does not also have attached capabilities. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
db18d67f21
commit
bc1950ac92
|
@ -1186,25 +1186,34 @@ API.
|
|||
.SS Capabilities and execution of programs by root
|
||||
.\" See cap_bprm_set_creds() and handle_privileged_root() in
|
||||
.\" security/commoncap.c (Linux 5.0 source)
|
||||
In order to provide an all-powerful
|
||||
.I root
|
||||
using capability sets, during an
|
||||
.BR execve (2):
|
||||
In order to mirror traditional UNIX semantics,
|
||||
execution of programs by root (UID 0)
|
||||
as well as execution of set-user-ID-root programs
|
||||
result in special treatment of capabilities during an
|
||||
.BR execve (2).
|
||||
.PP
|
||||
When a process with nonzero UIDs executes a binary:
|
||||
.IP 1. 3
|
||||
If a set-user-ID-root program is being executed,
|
||||
or the real or effective user ID of the process is 0 (root)
|
||||
If the real or effective user ID of the process is 0 (root),
|
||||
then the file inheritable and permitted sets are defined to be all ones
|
||||
(i.e., all capabilities enabled).
|
||||
.IP 2.
|
||||
If a set-user-ID-root program is being executed,
|
||||
or the effective user ID of the process is 0 (root)
|
||||
If the effective user ID of the process is 0 (root) or
|
||||
the file effective bit is in fact enabled,
|
||||
then the file effective bit is defined to be one (enabled).
|
||||
.PP
|
||||
If a process with nonzero user IDs executes a set-user-ID-root binary
|
||||
that does not have attached capabilities,
|
||||
the file capability sets are considered to be all ones.
|
||||
(See below for a discussion of what happens
|
||||
when a process with nonzero UIDs executes a binary
|
||||
that is both set-user-ID root and has attached file capabilities.)
|
||||
.PP
|
||||
The upshot of the above rules,
|
||||
combined with the capabilities transformations described above,
|
||||
is as follows:
|
||||
.IP * 3
|
||||
When a process
|
||||
When a process with nonzero UIDs
|
||||
.BR execve (2)s
|
||||
a set-user-ID-root program, or when a process with an effective UID of 0
|
||||
.BR execve (2)s
|
||||
|
@ -1218,17 +1227,22 @@ a program,
|
|||
it gains all capabilities in its permitted capability set,
|
||||
.\" but no effective capabilities
|
||||
except those masked out by the capability bounding set.
|
||||
If, in addition, the file permitted capability bit is on,
|
||||
the process's new permitted capabilities are also assigned
|
||||
to its effective set.
|
||||
.PP
|
||||
The above steps yield semantics that are the same as those provided by
|
||||
traditional UNIX systems.
|
||||
The above special treatments of user ID 0 can be disabled using the
|
||||
securebits mechanism described below.
|
||||
.\"
|
||||
.SS Set-user-ID-root programs that have file capabilities
|
||||
Executing a program that is both set-user-ID root and has
|
||||
file capabilities will cause the process to gain just the
|
||||
file capabilities iby a process that has nonzero UIDs
|
||||
will cause the process to gain just the
|
||||
capabilities granted by the program
|
||||
(i.e., not all capabilities,
|
||||
as would occur when executing a set-user-ID-root program
|
||||
that does not have any associated file capabilities).
|
||||
.PP
|
||||
Note that one can assign empty capability sets to a program file,
|
||||
and thus it is possible to create a set-user-ID-root program that
|
||||
changes the effective and saved set-user-ID of the process
|
||||
|
|
Loading…
Reference in New Issue