From bc1950ac92d69ad42b03eb6a4a1ad0dd3acb1ccc Mon Sep 17 00:00:00 2001 From: Michael Kerrisk Date: Sun, 10 Feb 2019 03:40:15 +0100 Subject: [PATCH] capabilities.7: Rework discussion of exec and UID 0, correcting a couple of details Clarify the "Capabilities and execution of programs by root" section, and correct a couple of details: * If a process with rUID == 0 && eUID != 0 does an exec, the process will nevertheless gain effective capabilities if the file effective bit is set. * Set-UID-root programs only confer a full set of capabilities if the binary does not also have attached capabilities. Signed-off-by: Michael Kerrisk --- man7/capabilities.7 | 38 ++++++++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/man7/capabilities.7 b/man7/capabilities.7 index a65d58093..2a6a0f079 100644 --- a/man7/capabilities.7 +++ b/man7/capabilities.7 @@ -1186,25 +1186,34 @@ API. .SS Capabilities and execution of programs by root .\" See cap_bprm_set_creds() and handle_privileged_root() in .\" security/commoncap.c (Linux 5.0 source) -In order to provide an all-powerful -.I root -using capability sets, during an -.BR execve (2): +In order to mirror traditional UNIX semantics, +execution of programs by root (UID 0) +as well as execution of set-user-ID-root programs +result in special treatment of capabilities during an +.BR execve (2). +.PP +When a process with nonzero UIDs executes a binary: .IP 1. 3 -If a set-user-ID-root program is being executed, -or the real or effective user ID of the process is 0 (root) +If the real or effective user ID of the process is 0 (root), then the file inheritable and permitted sets are defined to be all ones (i.e., all capabilities enabled). .IP 2. -If a set-user-ID-root program is being executed, -or the effective user ID of the process is 0 (root) +If the effective user ID of the process is 0 (root) or +the file effective bit is in fact enabled, then the file effective bit is defined to be one (enabled). .PP +If a process with nonzero user IDs executes a set-user-ID-root binary +that does not have attached capabilities, +the file capability sets are considered to be all ones. +(See below for a discussion of what happens +when a process with nonzero UIDs executes a binary +that is both set-user-ID root and has attached file capabilities.) +.PP The upshot of the above rules, combined with the capabilities transformations described above, is as follows: .IP * 3 -When a process +When a process with nonzero UIDs .BR execve (2)s a set-user-ID-root program, or when a process with an effective UID of 0 .BR execve (2)s @@ -1218,17 +1227,22 @@ a program, it gains all capabilities in its permitted capability set, .\" but no effective capabilities except those masked out by the capability bounding set. +If, in addition, the file permitted capability bit is on, +the process's new permitted capabilities are also assigned +to its effective set. .PP -The above steps yield semantics that are the same as those provided by -traditional UNIX systems. +The above special treatments of user ID 0 can be disabled using the +securebits mechanism described below. .\" .SS Set-user-ID-root programs that have file capabilities Executing a program that is both set-user-ID root and has -file capabilities will cause the process to gain just the +file capabilities iby a process that has nonzero UIDs +will cause the process to gain just the capabilities granted by the program (i.e., not all capabilities, as would occur when executing a set-user-ID-root program that does not have any associated file capabilities). +.PP Note that one can assign empty capability sets to a program file, and thus it is possible to create a set-user-ID-root program that changes the effective and saved set-user-ID of the process