Capabilities – Use Capsh to Run Unprivileged Ping with Minimal Capabilities

capabilities

I am experimenting with capabilities, on Debian Gnu/Linux.

I have copied /bin/ping to my current working directory. As expected it does not work, it was originally setuid root.

I then give my ping the minimal capabilities (not root) by doing sudo /sbin/setcap cap_net_raw=ep ./ping, and my ping works, as expected.

Then sudo /sbin/setcap -r ./ping to revoke that capability. It is now not working as expected.

I now try to get ping working using capsh.

capsh has no privileges, so I need to run it as root, but then drop root and thus all other privileges.

I think I also need secure-keep-caps, this is not documented in capsh, but is in the capability manual. I got the bit numbers from /usr/include/linux/securebits.h. They seem correct, as the output of --print shows these bits to be correct.

I have been fiddling for hours, so far I have this.

sudo /sbin/capsh --keep=1 --secbits=0x10 --caps="cap_net_raw+epi" == --secbits=0x10 --user=${USER} --print -- -c "./ping localhost"

However ping errors with ping: icmp open socket: Operation not permitted, this is what happens when it does not have the capability. Also the --print shows Current: =p cap_net_raw+i, this is not enough we need e.

sudo /sbin/capsh --caps="cap_net_raw+epi" --print -- -c "./ping localhost" will set the capability to Current: = cap_net_raw+eip this is correct, but leaves us as root.

Edit-1

I have now tried sudo /sbin/capsh --keep=1 --secbits=0x11 --caps=cap_net_raw+epi --print -- -c "touch zz; ./ping -c1 localhost;"

This produces:

touch: cannot touch `zz': Permission denied
ping: icmp open socket: Operation not permitted

The first error is expected as secure-noroot: yes
But the second is not Current: = cap_net_raw+eip

Edit-2

If I put == before the --print, it now shows Current: = cap_net_raw+i, so that explains the previous error, but not why we are loosing capability when switching out of root, I though that secure-keep-caps should fix that.

Edit-3

From what I can see, I am loosing Effective (e), and Permitted (p), when exec is called. This is expected, but I thought that secure-keep-caps, should stop them being lost. Am I missing something.

Edit-4

I have been doing more research, and reading the manual again. It seems that normally e and p capabilities are lost when: you switch from user root ( or apply secure-noroot, thus making root a normal user), this can be overridden with secure-keep-caps; when you call exec, as far as I can tell this is an invariant.

As far as I can tell, it is working according to the manual. As far as I can tell there is no way to do anything useful with capsh. As far as I can tell, to use capabilities you need to: use file capabilities or have a capabilities aware program, that does not use exec. Therefore no privileged wrapper.

So now my question is what am I missing, what is capsh for.

Edit-5

I have added an answer re ambient capabilities. Maybe capsh can also be used with inherited capabilities, but to be useful these would need to be set on the executable file. I can not see how capsh can do anything useful without ambient capabilities, or to allow inherited capabilities.

Versions:

capsh from package libcap2-bin version 1:2.22-1.2
before edit-3 I grabbed the latest capsh from git://git.debian.org/collab-maint/libcap2.git and started using it.
uname -a Linux richard-laptop 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u2 x86_64 GNU/Linux
User-land is 32bit.

Best Answer

Capabilities are properties of processes. Traditionally there are three sets:

Permitted capabilities (p): capabilities that may be "activated" in the current process.
Effective capabilities (e): capabilities that are currently usable in the current process.
Inheritable capabilities (i): file capabilities that may be inherited.

Programs run as root always have full permitted and effective capabilities, so "adding" more capabilities has no noticeable effect. (The inheritable capabilities set is normally empty.) With setcap cap_net_raw+ep ping you enable these capabilities by default for any user running this program.

Unfortunately these capabilities are bound to the executed file and are not retained after executing a new child process. Linux 4.3 introduced Ambient capabilities which allows capabilities to be inherited by child processes. (See also Transformation of capabilities during execve() in capabilities(7).)

While playing with capabilities, note these pitfalls:

When changing the user from root to non-root, the effective and permitted capabilities are cleared (see Effect of user ID changes on capabilities in capabilities(7)). You can use the --keep=1 option of capsh to avoid clearing the sets.
The ambient capabilities set is cleared when changing the user or group IDs. Solution: add the ambient capabilities after changing the user ID, but before executing a child process.
A capability can only be added to the ambient capabilities set if it is already in both the permitted and inheritable capabilities set.

Since libcap 2.26, the capsh program gained the ability to modify ambient capabilities via options such as --addamb (commit). Note that the options order is significant. Example usage:

sudo capsh --caps="cap_net_raw+eip cap_setpcap,cap_setuid,cap_setgid+ep" \
    --keep=1 --user=nobody --addamb=cap_net_raw -- \
    -c "./ping -c1 127.0.0.1"

Tip: you can add the --print option anywhere in the capsh command line and see its current capabilities state.

Note: cap_setpcap is needed for --addamb while cap_setuid,cap_setgid are needed for the --user option.

Related Solutions

Linux – How to replace setuid with file-system capabilities

File system capabilities in Linux were added to allow more fine-grained control than setuid alone will allow. With setuid it's a full escalation of effective privileges to the user (typically root). The capabilities(7) manpage provides the following description:

For the purpose of performing permission checks, traditional Unix implementations distinguish two categories of pro‐ cesses: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged pro‐ cesses (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivi‐ leged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

If an application needs the ability to call chroot(), which is typically only allowed for root, CAP_SYS_CHROOT can be set on the binary rather than setuid. This can be done using the setcap command:

setcap CAP_SYS_CHROOT /bin/mybin

As of RPM version 4.7.0, capabilities can be set on packaged files using %caps.

Fedora 15 had a release goal of removing all setuid binaries tracked in this bug report. According to the bug report, this goal was accomplished.

The wikipedia article on Capability-based security is good read for anyone interested.

Ubuntu – Why doesn’t Ubuntu use capabilities on ping

It is considered a bug if a package has overly permissive capabilities, so these cases should be reported. However, they might have already fixed it according to https://bugs.launchpad.net/ubuntu/+source/iputils/+bug/534341