Steve Hilder
cbcd119573
capabilities.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2020-08-22 22:24:02 +02:00
Michael Kerrisk
ed6c69cab9
intro.1, clock_getres.2, execve.2, fcntl.2, iopl.2, lseek.2, mknod.2, mmap.2, mount.2, mq_getsetattr.2, pidfd_open.2, prctl.2, setns.2, sgetmask.2, sigaction.2, stat.2, statx.2, sync.2, syscalls.2, syslog.2, timerfd_create.2, umask.2, a64l.3, aio_init.3, atoi.3, dladdr.3, fread.3, getpt.3, isfdtype.3, malloc_stats.3, malloc_trim.3, mkfifo.3, mq_close.3, mq_open.3, mq_receive.3, mq_send.3, mq_unlink.3, posix_memalign.3, posix_openpt.3, pthread_atfork.3, pthread_rwlockattr_setkind_np.3, regex.3, scanf.3, sem_close.3, sem_destroy.3, sem_init.3, sem_open.3, sem_post.3, sem_unlink.3, sigset.3, sigvec.3, strftime.3, termios.3, console_codes.4, dsp56k.4, fd.4, lp.4, mouse.4, pts.4, sk98lin.4, dir_colors.5, proc.5, resolv.conf.5, termcap.5, utmp.5, aio.7, armscii-8.7, arp.7, capabilities.7, cgroups.7, charsets.7, cp1251.7, cp1252.7, environ.7, glob.7, inode.7, iso_8859-1.7, iso_8859-10.7, iso_8859-11.7, iso_8859-13.7, iso_8859-14.7, iso_8859-15.7, iso_8859-16.7, iso_8859-2.7, iso_8859-3.7, iso_8859-4.7, iso_8859-5.7, iso_8859-6.7, iso_8859-7.7, iso_8859-8.7, iso_8859-9.7, keyrings.7, koi8-r.7, koi8-u.7, mailaddr.7, man-pages.7, netdevice.7, operator.7, persistent-keyring.7, process-keyring.7, pthreads.7, pty.7, raw.7, regex.7, session-keyring.7, shm_overview.7, signal.7, socket.7, suffixes.7, thread-keyring.7, unicode.7, units.7, uri.7, user-keyring.7, user-session-keyring.7, iconvconfig.8, ld.so.8, zic.8: tstamp
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2020-08-13 10:01:14 +02:00
Michael Kerrisk
aade901bee
capabilities.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2020-07-17 13:31:12 +02:00
Saikiran Madugula
69a0c93e3c
capabilities.7: CAP_SYS_RESOURCE: add two more items for POSIX message queues
...
CAP_SYS_RESOURCE also allows overriding /proc/sys/fs/mqueue/msg_max
and /proc/sys/fs/mqueue/msgsize_max.
Signed-off-by: Saikiran Madugula <hummerbliss@gmail.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2020-07-17 13:31:06 +02:00
Michael Kerrisk
28a4c58cc2
intro.1, localedef.1, memusage.1, memusagestat.1, bpf.2, execve.2, fork.2, keyctl.2, request_key.2, sigaction.2, signal.2, socket.2, dlopen.3, getauxval.3, gnu_get_libc_version.3, pthread_atfork.3, sem_post.3, setjmp.3, strftime.3, veth.4, locale.5, nscd.conf.5, resolv.conf.5, address_families.7, armscii-8.7, ascii.7, capabilities.7, cgroups.7, charsets.7, cp1251.7, cp1252.7, iso_8859-1.7, iso_8859-10.7, iso_8859-11.7, iso_8859-13.7, iso_8859-14.7, iso_8859-15.7, iso_8859-16.7, iso_8859-2.7, iso_8859-3.7, iso_8859-4.7, iso_8859-5.7, iso_8859-6.7, iso_8859-7.7, iso_8859-8.7, iso_8859-9.7, keyrings.7, koi8-r.7, koi8-u.7, libc.7, locale.7, man.7, network_namespaces.7, persistent-keyring.7, session-keyring.7, signal.7, unicode.7, uri.7, user-keyring.7, user-session-keyring.7: ffix: replace - with real\-
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2020-07-06 14:28:51 +02:00
Dan Kenigsberg
0c576731a8
capabilities.7: Clarify that CAP_SYS_NICE relates to *lowering* the nice value
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2020-06-24 13:43:06 +02:00
Michael Kerrisk
baa9880610
capabilities.7: srcfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2020-06-24 12:02:18 +02:00
Michael Kerrisk
9f6f7345e4
capabilities.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2020-06-24 12:01:06 +02:00
Michael Kerrisk
a3cb5856c8
capabilities.7: Clarify wording around increasing process nice value
...
The fact that a more negative nice value means higher
priority is a continuing source of confusion.
Reported-by: Dan Kenigsberg <danken@redhat.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2020-06-24 11:59:49 +02:00
Michael Kerrisk
81701c0437
capabilities.7: Document CAP_BPF
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2020-06-12 13:52:22 +02:00
Michael Kerrisk
3502d8682f
capabilities.7: srcfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2020-06-12 13:52:22 +02:00
Michael Kerrisk
e39e42409d
capabilities.7: Add CAP_PERFMON
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2020-06-12 13:52:22 +02:00
Michael Kerrisk
a8fcac48f5
capabilities.7: SEE ALSO: add getpcaps(8)
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2020-06-10 08:00:46 +02:00
Michael Kerrisk
1cc2995abf
capabilities.7: tfix
...
Reported-by: Helge Kreutzmann <debian@helgefjell.de>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2020-04-19 21:20:09 +02:00
Michael Kerrisk
19531dec84
capabilities.7: tfix
...
Reported-by: Helge Kreutzmann <debian@helgefjell.de>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2020-04-19 16:42:00 +02:00
Michael Kerrisk
ef0ba060b3
capabilities.7: Minor clarification of historical behavior
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-12-30 11:01:01 +01:00
Michael Kerrisk
bafa494386
capabilities.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-12-30 11:01:01 +01:00
Marko Myllynen
d6094c8a3b
capabilities.7: tfix
...
Hi Michael, it's been a while but few simple patches today..
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-08-26 23:14:49 +02:00
Michael Kerrisk
7e7e8de32e
capabilities.7: CAP_SYS_ADMIN allows modifying autogroup nice values
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-08-02 13:57:10 +02:00
Michael Kerrisk
63121bd499
pldd.1, bpf.2, chdir.2, clone.2, fanotify_init.2, fanotify_mark.2, intro.2, ipc.2, mount.2, mprotect.2, msgctl.2, msgget.2, msgop.2, pivot_root.2, pkey_alloc.2, poll.2, prctl.2, semctl.2, semget.2, semop.2, setxattr.2, shmctl.2, shmget.2, shmop.2, tkill.2, dlopen.3, exec.3, ftok.3, getutent.3, on_exit.3, strcat.3, cpuid.4, proc.5, capabilities.7, cgroup_namespaces.7, credentials.7, fanotify.7, mount_namespaces.7, namespaces.7, sched.7, signal.7, socket.7, unix.7, user_namespaces.7, vdso.7, xattr.7, ld.so.8: tstamp
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-08-02 08:34:32 +02:00
Michael Kerrisk
40ca38806d
capabilities.7: Add pivot_root(2) to CAP_SYS_ADMIN list
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-07-28 13:34:28 +02:00
Michael Kerrisk
3b13efed75
capabilities.7: Add a note about using strace on binaries that have capabilities
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-07-17 04:19:01 +02:00
Michael Kerrisk
c99eb2b204
capabilities.7: CAP_FOWNER also allows modifying user xattrs on sticky directories
...
See fs/xattr.c::xattr_permission()"
/*
* In the user.* namespace, only regular files and directories can have
* extended attributes. For sticky directories, only the owner and
* privileged users can write attributes.
*/
if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) {
if (!S_ISREG(inode->i_mode) && !S_ISDIR(inode->i_mode))
return (mask & MAY_WRITE) ? -EPERM : -ENODATA;
if (S_ISDIR(inode->i_mode) && (inode->i_mode & S_ISVTX) &&
(mask & MAY_WRITE) && !inode_owner_or_capable(inode))
return -EPERM;
}
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-07-01 09:59:37 +02:00
Michael Kerrisk
9ba0180298
getent.1, iconv.1, ldd.1, locale.1, localedef.1, memusage.1, memusagestat.1, pldd.1, sprof.1, time.1, _syscall.2, accept.2, add_key.2, adjtimex.2, bind.2, bpf.2, capget.2, chown.2, chroot.2, clock_getres.2, clone.2, connect.2, copy_file_range.2, epoll_ctl.2, epoll_wait.2, eventfd.2, fanotify_init.2, fanotify_mark.2, fcntl.2, fsync.2, futex.2, getcpu.2, getdents.2, getgid.2, getgroups.2, getpid.2, gettid.2, gettimeofday.2, getuid.2, getxattr.2, inotify_add_watch.2, inotify_init.2, ioctl_fat.2, ioctl_ns.2, ioctl_userfaultfd.2, ioprio_set.2, kcmp.2, kexec_load.2, keyctl.2, listxattr.2, lseek.2, madvise.2, memfd_create.2, migrate_pages.2, mount.2, mprotect.2, mremap.2, msgctl.2, msgop.2, nfsservctl.2, open_by_handle_at.2, perf_event_open.2, pipe.2, pivot_root.2, pkey_alloc.2, poll.2, posix_fadvise.2, prctl.2, readahead.2, readdir.2, readlink.2, reboot.2, recvmmsg.2, removexattr.2, rename.2, request_key.2, s390_guarded_storage.2, s390_runtime_instr.2, s390_sthyi.2, sched_setaffinity.2, sched_setattr.2, sched_setparam.2, seccomp.2, select.2, select_tut.2, semctl.2, sendmmsg.2, set_thread_area.2, setgid.2, setns.2, setuid.2, setxattr.2, shmctl.2, sigaction.2, signalfd.2, sigsuspend.2, socket.2, socketpair.2, spu_run.2, stat.2, statx.2, subpage_prot.2, syscalls.2, sysctl.2, tee.2, timer_create.2, timerfd_create.2, truncate.2, uname.2, unshare.2, userfaultfd.2, ustat.2, vmsplice.2, write.2, CPU_SET.3, __ppc_get_timebase.3, alloca.3, argz_add.3, asprintf.3, backtrace.3, basename.3, bsd_signal.3, bstring.3, bswap.3, bzero.3, cacos.3, cacosh.3, catan.3, catanh.3, catgets.3, clock_getcpuclockid.3, cmsg.3, confstr.3, ctermid.3, ctime.3, des_crypt.3, dl_iterate_phdr.3, dlinfo.3, dlsym.3, duplocale.3, end.3, endian.3, errno.3, exec.3, exit.3, ferror.3, fgetws.3, fmemopen.3, fnmatch.3, fopencookie.3, fputws.3, frexp.3, ftw.3, get_nprocs_conf.3, get_phys_pages.3, getaddrinfo.3, getaddrinfo_a.3, getdate.3, getgrouplist.3, getifaddrs.3, getline.3, getlogin.3, getmntent.3, getnameinfo.3, getopt.3, getpass.3, getprotoent_r.3, getpwnam.3, getservent_r.3, getsubopt.3, glob.3, gnu_get_libc_version.3, hsearch.3, if_nameindex.3, index.3, inet.3, inet_net_pton.3, inet_pton.3, insque.3, isatty.3, iswblank.3, iswspace.3, lockf.3, makecontext.3, mallinfo.3, malloc.3, malloc_hook.3, malloc_info.3, mallopt.3, matherr.3, mbrtowc.3, mbsnrtowcs.3, mbsrtowcs.3, mbstowcs.3, mbtowc.3, mcheck.3, memchr.3, mq_getattr.3, mq_notify.3, newlocale.3, nl_langinfo.3, offsetof.3, perror.3, posix_spawn.3, printf.3, pthread_attr_init.3, pthread_cancel.3, pthread_cleanup_push.3, pthread_getattr_default_np.3, pthread_getattr_np.3, pthread_getcpuclockid.3, pthread_mutexattr_setrobust.3, pthread_rwlockattr_setkind_np.3, pthread_setaffinity_np.3, pthread_setname_np.3, pthread_setschedparam.3, pthread_sigmask.3, putenv.3, qsort.3, rand.3, random.3, readdir.3, regex.3, resolver.3, rpmatch.3, rtime.3, scanf.3, sem_wait.3, setaliasent.3, setbuf.3, stpcpy.3, stpncpy.3, strcat.3, strchr.3, strcmp.3, strcpy.3, strdup.3, strerror.3, strfromd.3, strfry.3, strftime.3, string.3, strlen.3, strnlen.3, strsep.3, strstr.3, strtok.3, strtol.3, strtoul.3, strverscmp.3, strxfrm.3, system.3, termios.3, trunc.3, wcpcpy.3, wcpncpy.3, wcrtomb.3, wcscat.3, wcscpy.3, wcslen.3, wcsncat.3, wcsncmp.3, wcsncpy.3, wcsnlen.3, wcsnrtombs.3, wcsrtombs.3, wcsstr.3, wcstok.3, wcstombs.3, wcwidth.3, wprintf.3, xcrypt.3, console_codes.4, dsp56k.4, full.4, initrd.4, lirc.4, loop.4, st.4, tty.4, vcs.4, charmap.5, core.5, host.conf.5, locale.5, proc.5, repertoiremap.5, resolv.conf.5, termcap.5, tmpfs.5, tzfile.5, aio.7, capabilities.7, cgroup_namespaces.7, cgroups.7, charsets.7, complex.7, epoll.7, fanotify.7, feature_test_macros.7, inotify.7, ip.7, locale.7, man-pages.7, man.7, namespaces.7, pid_namespaces.7, pkeys.7, pthreads.7, rtld-audit.7, sched.7, signal.7, sock_diag.7, socket.7, tcp.7, udp.7, unicode.7, user_namespaces.7, utf-8.7, zdump.8, zic.8: tstamp
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-03-06 15:12:10 +01:00
Michael Kerrisk
9f92e4e1cb
capabilities.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-02-23 22:03:20 +01:00
Michael Kerrisk
4312e0cb67
capabilities.7: CAP_SYS_CHROOT allows use of setns() to change the mount namespace
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-02-23 22:03:20 +01:00
Michael Kerrisk
dd61e8a8f4
capabilities.7: srcfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-02-23 22:03:20 +01:00
Michael Kerrisk
9c5b11bf42
capabilities.7: Add a subsection on per-user-namespace "set-user-ID-root" programs
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-02-23 22:03:20 +01:00
Michael Kerrisk
bcf7072dbd
capabilities.7: Relocate the subsection "Interaction with user namespaces"
...
This best belongs at the end of the page, after the subsections
that already make some mention of user namespaces.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-02-23 22:03:20 +01:00
Michael Kerrisk
049d1a1534
capabilities.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-02-23 22:03:20 +01:00
Michael Kerrisk
33d0916f81
capabilities.7: Substantially rework "Capabilities and execution of programs by root"
...
Rework for improved clarity, and also to include missing details
on the case where (1) the binary that is being executed has
capabilities attached and (2) the real user ID of the process is
not 0 (root) and (3) the effective user ID of the process is 0
(root).
Kernel code analysis and some test code (GPLv3 licensed) below.
======
My analysis of security/commoncaps.c capabilities handling
(from Linux 4.20 source):
execve() eventually calls __do_execve_file():
__do_execve_file()
|
+-prepare_bprm_creds(&bprm)
| |
| +-prepare_exec_creds()
| | |
| | +-prepare_creds()
| | |
| | | // Returns copy of existing creds
| | |
| | +-security_prepare_creds()
| | |
| | +-cred_prepare() [via hook]
| | // Seems to do nothing for commoncaps
| |
| // Returns creds provided by prepare_creds()
|
// Places creds returned by prepare_exec_creds() in bprm->creds
|
|
+-prepare_binprm(&bprm) // bprm from prepare_bprm_creds()
|
+-bprm_fill_uid(&bprm)
|
| // Places current credentials into bprm
|
| // Performs set-UID & set-GID transitions if those file bits are set
|
+-security_bprm_set_creds(&bprm)
|
+-bprm_set_creds(&bprm) [via hook]
|
+-cap_bprm_set_creds(&bprm)
|
// effective = false
|
+-get_file_caps(&bprm, &effective, &has_fcap)
| |
| +-get_vfs_caps_from_disk(..., &vcaps)
| |
| | // Fetches file capabilities from disk and places in vcaps
| |
| +-bprm_caps_from_vfs_caps(&vcaps, &bprm, &effective, &has_fcap)
|
| // If file effective bit is set: effective = true
| //
| // If file has capabilities: has_fcap |= true
| //
| // Perform execve transformation:
| // P'(perm) = F(inh) & P(Inh) | F(Perm) & P(bset)
|
+-handle_privileged_root(&bprm, has_fcap, &effective, root_uid)
|
| // If has_fcap && (rUID != root && eUID == root) then
| // return without doing anything
| //
| // If rUID == root || eUID == root then
| // P'(perm) = P(inh) | P(bset)
| //
| // If eUID == root then
| // effective = true
|
// Perform execve() transformation:
//
// P'(Amb) = (privprog) ? 0 : P(Amb)
// P'(Perm) |= P'(Amb)
// P'(Eff) = effective ? P'(Perm) : P'(Amb)
Summary
1. Perform set-UID/set-GID transformations
2. P'(Amb) = (privprog) ? 0 : P(Amb)
3. If [process has nonzero UIDs] OR
([file has caps] && [rUID != root && eUID == root]), then
P'(perm) = F(inh) & P(Inh) | F(Perm) & P(bset) | P'(Amb)
else // ~ [process has rUID == root || eUID == root]
P'(perm) = P(inh) | P(bset) | P'(Amb)
4. P'(Eff) = (F(eff) || eUID == root) ? P'(Perm) : P'(Amb)
======
$ cat show_creds_and_caps_long.c
int
main(int argc, char *argv[])
{
uid_t ruid, euid, suid;
gid_t rgid, egid, sgid;
cap_t caps;
char *s;
if (getresuid(&ruid, &euid, &suid) == -1) {
perror("getresuid");
exit(EXIT_FAILURE);
}
if (getresgid(&rgid, &egid, &sgid) == -1) {
perror("getresgid");
exit(EXIT_FAILURE);
}
printf("UID: %5ld (real), %5ld (effective), %5ld (saved)\n",
(long) ruid, (long) euid, (long) suid);
printf("GID: %5ld (real), %5ld (effective), %5ld (saved)\n",
(long) rgid, (long) egid, (long) sgid);
caps = cap_get_proc();
if (caps == NULL) {
perror("cap_get_proc");
exit(EXIT_FAILURE);
}
s = cap_to_text(caps, NULL);
if (s == NULL) {
perror("cap_to_text");
exit(EXIT_FAILURE);
}
printf("Capabilities: %s\n", s);
cap_free(caps);
cap_free(s);
exit(EXIT_SUCCESS);
}
$ cat cred_launcher.c
} while (0)
do { fprintf(stderr, "Usage: "); \
fprintf(stderr, msg, progName); \
exit(EXIT_FAILURE); } while (0)
int
main(int argc, char *argv[])
{
uid_t r, e, s;
if (argc != 5 || strcmp(argv[1], "--help") == 0)
usageErr("%s rUID eUID sUID <prog>\n", argv[0]);
r = atoi(argv[1]);
e = atoi(argv[2]);
s = atoi(argv[3]);
if (setresuid(r, e, s) == -1)
errExit("setresuid");
if (getresuid(&r, &e, &s) == -1)
errExit("getresuid");
execv(argv[4], &argv[4]);
errExit("execve");
}
$ cc -o cred_launcher cred_launcher.c
$ cc -o show_creds_and_caps_long show_creds_and_caps_long.c -lcap
$ sudo ./cred_launcher 1000 0 1000 ./show_creds_and_caps_long
UID: 1000 (real), 0 (effective), 0 (saved)
GID: 0 (real), 0 (effective), 0 (saved)
Capabilities: =ep
$ sudo setcap cap_kill=pe show_creds_and_caps_long
$ sudo ./cred_launcher 1000 0 1000 ./show_creds_and_caps_long
UID: 1000 (real), 0 (effective), 0 (saved)
GID: 0 (real), 0 (effective), 0 (saved)
Capabilities: = cap_kill+ep
The final program execution above shows the special casing
that occurs in handle_privileged_root() for the case where:
rUID != root && eUID == root && [file has capabilities]
======
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-02-23 22:03:20 +01:00
Michael Kerrisk
cc0fb214da
capabilities.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-02-23 22:03:20 +01:00
Michael Kerrisk
1a9ed17c9e
capabilities.7: Improve the discussion of when file capabilities are ignored
...
The text stated that the execve() capability transitions are not
performed for the same reasons that setuid and setgid mode bits
may be ignored (as described in execve(2)). But, that's not quite
correct: rather, the file capability sets are treated as empty
for the purpose of the capability transition calculations.
Also merge the new 'no_file_caps' kernel option text into the
same paragraph.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-02-23 22:03:20 +01:00
Michael Kerrisk
f6acfeb8f8
capabilities.7: Document the 'no_file_caps' kernel command-line option
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-02-23 22:03:20 +01:00
Michael Kerrisk
bc1950ac92
capabilities.7: Rework discussion of exec and UID 0, correcting a couple of details
...
Clarify the "Capabilities and execution of programs by root"
section, and correct a couple of details:
* If a process with rUID == 0 && eUID != 0 does an exec,
the process will nevertheless gain effective capabilities
if the file effective bit is set.
* Set-UID-root programs only confer a full set of capabilities
if the binary does not also have attached capabilities.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-02-10 03:40:15 +01:00
Michael Kerrisk
db18d67f21
capabilities.7: srcfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-02-07 11:40:25 +01:00
Michael Kerrisk
d893df00d9
capabilities.7: Update URL for libcap tarballs
...
The previous location does not seem to be getting updated.
(For example, at the time of this commit, libcap-2.26
had been out for two months, but was not present at
http://www.kernel.org/pub/linux/libs/security/linux-privs .
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-11-17 07:26:22 +01:00
Michael Kerrisk
2eb89baa0e
capabilities.7: Minor fixes to Marcus Gelderie's patch
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-11-01 20:55:13 +01:00
Marcus Gelderie
35ecd12dd9
capabilities.7: Mention header for SECBIT constants
...
Mention that the named constants (SECBIT_KEEP_CAPS and others)
are available only if the linux/securebits.h user-space header
is included.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-11-01 20:55:13 +01:00
Michael Kerrisk
dd63e15948
capabilities.7: Correct the description of SECBIT_KEEP_CAPS
...
This just adds to the point made by Marcus Gelderie's patch. Note
also that SECBIT_KEEP_CAPS provides the same functionality as the
prctl() PR_SET_KEEPCAPS flag, and the prctl(2) manual page has the
correct description of the semantics (i.e., that the flag affects
the treatment of onlt the permitted capability set).
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-11-01 14:40:49 +01:00
Michael Kerrisk
ab7ef2a882
capabilities.7: Minor tweaks to the text added by Marcus Gelderie's patch
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-11-01 14:40:49 +01:00
Marcus Gelderie
7d32b135d6
capabilities.7: Add details about SECBIT_KEEP_CAPS
...
The description of SECBIT_KEEP_CAPS is misleading about the
effects on the effective capabilities of a process during a
switch to nonzero UIDs. The effective set is cleared based on
the effective UID switching to a nonzero value, even if
SECBIT_KEEP_CAPS is set. However, with this bit set, the
effective and permitted sets are not cleared if the real and
saved set-user-ID are set to nonzero values.
This was tested using the following C code and reading the kernel
source at security/commoncap.c: cap_emulate_setxuid.
void print_caps(void) {
cap_t current = cap_get_proc();
if (!current) {
perror("Current caps");
return;
}
char *text = cap_to_text(current, NULL);
if (!text) {
perror("Converting caps to text");
goto free_caps;
}
printf("Capabilities: %s\n", text);
cap_free(text);
free_caps:
cap_free(current);
}
void print_creds(void) {
uid_t ruid, suid, euid;
if (getresuid(&ruid, &euid, &suid)) {
perror("Error getting UIDs");
return;
}
printf("real = %d, effective = %d, saved set-user-ID = %d\n", ruid, euid, suid);
}
void set_caps(int size, const cap_value_t *caps) {
cap_t current = cap_init();
if (!current) {
perror("Error getting current caps");
return;
}
if (cap_clear(current)) {
perror("Error clearing caps");
}
if (cap_set_flag(current, CAP_INHERITABLE, size, caps, CAP_SET)) {
perror("setting caps");
goto free_caps;
}
if (cap_set_flag(current, CAP_EFFECTIVE, size, caps, CAP_SET)) {
perror("setting caps");
goto free_caps;
}
if (cap_set_flag(current, CAP_PERMITTED, size, caps, CAP_SET)) {
perror("setting caps");
goto free_caps;
}
if (cap_set_proc(current)) {
perror("Comitting caps");
goto free_caps;
}
free_caps:
cap_free(current);
}
const cap_value_t caps[] = {CAP_SETUID, CAP_SETPCAP};
const size_t num_caps = sizeof(caps) / sizeof(cap_value_t);
int main(int argc, char **argv) {
puts("[+] Dropping most capabilities to reduce amount of console output...");
set_caps(num_caps, caps);
puts("[+] Dropped capabilities. Starting with these credentials and capabilities:");
print_caps();
print_creds();
if (argc >= 2 && 0 == strncmp(argv[1], "keep", 4)) {
puts("[+] Setting SECBIT_KEEP_CAPS bit");
if (prctl(PR_SET_SECUREBITS, SECBIT_KEEP_CAPS, 0, 0, 0)) {
perror("Setting secure bits");
return 1;
}
}
puts("[+] Setting effective UID to 1000");
if (seteuid(1000)) {
perror("Error setting effective UID");
return 2;
}
print_caps();
print_creds();
puts("[+] Raising caps again");
set_caps(num_caps, caps);
print_caps();
print_creds();
puts("[+] Setting all remaining UIDs to nonzero values");
if (setreuid(1000, 1000)) {
perror("Error setting all UIDs to 1000");
return 3;
}
print_caps();
print_creds();
return 0;
}
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-11-01 14:39:25 +01:00
Michael Kerrisk
3acd70581d
capabilities.7: Update URL for location of POSIX.1e draft standard
...
Reported-by: Allison Randal <allison@lohutok.net>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-09-29 00:02:44 +02:00
Michael Kerrisk
5367a9aba9
capabilities.7: Ambient capabilities do not trigger secure-execution mode
...
Reported-by: Pierre Chifflier <pollux@debian.org>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-09-13 11:41:08 +02:00
Michael Kerrisk
0d59d0c8bf
capabilities.7: tfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-08-03 16:07:59 +02:00
Michael Kerrisk
2c77e8de08
capabilities.7: Note that v3 security.attributes are transparently created/retrieved
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-02 09:59:21 +02:00
Michael Kerrisk
00ae99b028
capabilities.7: Fix some imprecisions in discussion of namespaced file capabilities
...
The file UID does not come into play when creating a v3
security.capability extended attribute.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:13 +02:00
Michael Kerrisk
9b2c207a33
capabilities.7: wfix
...
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:13 +02:00
Michael Kerrisk
c281d0505d
capabilities.7: wfix
...
Fix some confusion between "mask" and "extended attribute"
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:13 +02:00
Michael Kerrisk
54254ef33a
capabilities.7: srcfix: Removed FIXME
...
No credential match of file UID and namespace creator UID
is needed to create a v3 security extended attribute.
Verified by experiment using my userns_child_exec.c and
show_creds.c programs (available on http://man7.org/tlpi/code ):
$ sudo setcap cap_setuid,cap_dac_override=pe \
./userns_child_exec
$ ./userns_child_exec -U -r setcap cap_kill=pe show_creds
$ ./userns_child_exec -U -M '0 1000 10' -G '0 1000 1' \
-s 1 ./show_creds
eUID = 1; eGID = 0; capabilities: = cap_kill+ep
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:42:07 +02:00