I am experimenting with capabilities, on Debian Gnu/Linux.
I have copied /bin/ping to my current working directory. As expected it does not work, it was originally setuid root.
I then give my ping the minimal capabilities (not root) by doing sudo /sbin/setcap cap_net_raw=ep ./ping
, and my ping works, as expected.
Then sudo /sbin/setcap -r ./ping
to revoke that capability. It is now not working as expected.
I now try to get ping working using capsh
.
capsh
has no privileges, so I need to run it as root, but then drop root and thus all other privileges.
I think I also need secure-keep-caps
, this is not documented in capsh
, but is in the capability manual. I got the bit numbers from /usr/include/linux/securebits.h
. They seem correct, as the output of --print
shows these bits to be correct.
I have been fiddling for hours, so far I have this.
sudo /sbin/capsh --keep=1 --secbits=0x10 --caps="cap_net_raw+epi" == --secbits=0x10 --user=${USER} --print -- -c "./ping localhost"
However ping
errors with ping: icmp open socket: Operation not permitted
, this is what happens when it does not have the capability. Also the --print
shows Current: =p cap_net_raw+i
, this is not enough we need e
.
sudo /sbin/capsh --caps="cap_net_raw+epi" --print -- -c "./ping localhost"
will set the capability to Current: = cap_net_raw+eip
this is correct, but leaves us as root
.
Edit-1
I have now tried sudo /sbin/capsh --keep=1 --secbits=0x11 --caps=cap_net_raw+epi --print -- -c "touch zz; ./ping -c1 localhost;"
This produces:
touch: cannot touch `zz': Permission denied
ping: icmp open socket: Operation not permitted
The first error is expected as secure-noroot: yes
But the second is not Current: = cap_net_raw+eip
Edit-2
If I put ==
before the --print
, it now shows Current: = cap_net_raw+i
, so that explains the previous error, but not why we are loosing capability when switching out of root, I though that secure-keep-caps
should fix that.
Edit-3
From what I can see, I am loosing Effective (e), and Permitted (p), when exec is called. This is expected, but I thought that secure-keep-caps, should stop them being lost. Am I missing something.
Edit-4
I have been doing more research, and reading the manual again. It seems that normally e
and p
capabilities are lost when: you switch from user root
( or apply secure-noroot
, thus making root a normal user), this can be overridden with secure-keep-caps
; when you call exec
, as far as I can tell this is an invariant.
As far as I can tell, it is working according to the manual. As far as I can tell there is no way to do anything useful with capsh
. As far as I can tell, to use capabilities you need to: use file capabilities or have a capabilities aware program, that does not use exec
. Therefore no privileged wrapper.
So now my question is what am I missing, what is capsh
for.
Edit-5
I have added an answer re ambient capabilities. Maybe capsh
can also be used with inherited capabilities, but to be useful these would need to be set on the executable file. I can not see how capsh can do anything useful without ambient capabilities, or to allow inherited capabilities.
Versions:
capsh
from packagelibcap2-bin
version1:2.22-1.2
- before edit-3 I grabbed the latest
capsh
fromgit://git.debian.org/collab-maint/libcap2.git
and started using it. uname -a
Linux richard-laptop 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u2 x86_64 GNU/Linux
User-land is 32bit.
Best Answer
Capabilities are properties of processes. Traditionally there are three sets:
Programs run as root always have full permitted and effective capabilities, so "adding" more capabilities has no noticeable effect. (The inheritable capabilities set is normally empty.) With
setcap cap_net_raw+ep ping
you enable these capabilities by default for any user running this program.Unfortunately these capabilities are bound to the executed file and are not retained after executing a new child process. Linux 4.3 introduced Ambient capabilities which allows capabilities to be inherited by child processes. (See also Transformation of capabilities during execve() in capabilities(7).)
While playing with capabilities, note these pitfalls:
--keep=1
option ofcapsh
to avoid clearing the sets.Since libcap 2.26, the
capsh
program gained the ability to modify ambient capabilities via options such as--addamb
(commit). Note that the options order is significant. Example usage:Tip: you can add the
--print
option anywhere in thecapsh
command line and see its current capabilities state.Note:
cap_setpcap
is needed for--addamb
whilecap_setuid,cap_setgid
are needed for the--user
option.