Reputation: 3442
Using capsh to drop all capabilities
I'm trying to use capsh to grant myself a shell with no capabilities at all with a certain user. This is so I can test security stuff related to being non-root but with only certain capabilities.
Basically I'd like to get a shell running with something similar to this. This would emulate the state under which the test program runs.
capsh --print
Current: =
Bounding set =
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=10101(u0_a101)
gid=10101(u0_a101)
groups=9997(everybody),50101(all_a101)
Then I'd like to be able to run capsh again to grant the user some capabilities and/or change uid/gid if it's at all possible.
I haven't found any good tutorials on capsh if anyone has a good reference.
http://man7.org/linux/man-pages//man1/capsh.1.html
Upvotes: 5
Views: 3825
Answers (2)
Reputation: 394
I guess it wasn't clear from my comment on the question, but in spite of the widespread belief, capsh --drop=all does not prevent a user from wielding capabilities. What you want is:
$ sudo capsh --user=$(whoami) --mode=NOPRIV --
$ capsh --current
Current: =
Current IAB: !cap_chown,!cap_dac_override,!cap_dac_read_search,!cap_fowner,!cap_fsetid,!cap_kill,!cap_setgid,!cap_setuid,!cap_setpcap,!cap_linux_immutable,!cap_net_bind_service,!cap_net_broadcast,!cap_net_admin,!cap_net_raw,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_chroot,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_write,!cap_audit_control,!cap_setfcap,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Here is a sequence that can retain individual capabilities through a --drop=all Operation (this and other gotchas are documented on the libcap, capsh, ... distribution site):
$ sudo capsh --inh=cap_setuid --
# capsh --drop=all --
# capsh --current
Current: cap_setuid=eip
Current IAB: !cap_chown,...,!%cap_setuid,...,!cap_checkpoint_restore
# exit
# exit
$
Namely, the Inheritable capability flag is not suppressed by the Bounding set, and the --drop= command flag only affects the Bounding vector and that only suppresses Permitted file Flag values.
Upvotes: 0
Reputation: 5712
List current capabilities
capsh --print Current: = Bounding set=cap_chown,cap_dac_override,[...] Securebits: 00/0x0/1'b0 secure-noroot: no (unlocked) secure-no-suid-fixup: no (unlocked) secure-keep-caps: no (unlocked) uid=1000(user) gid=1000(user) groups=4(adm),10101(u0_a101)Drop all capabilities from
1.Bounding section:capsh --drop=cap_chown,cap_dac_override,[...]
+ switch user and group:
capsh --gid=10101 --drop=cap_chown,cap_dac_override,[...] --uid=10101
+ join groups
capsh --gid=10101 --drop=cap_chown,cap_dac_override,[...] \ --uid=10101 --groups=9997,50101
+ execute application
capsh --gid=10101 --drop=cap_chown,cap_dac_override,[...] \ --uid=10101 --groups=9997,50101 -- -c 'ping 127.0.0.1'
Upvotes: 6
Related Questions
- setuid(0) with CAP_SETUID
- Why can't you drop a capability from the bounding set without CAP_SETPCAP?
- Test for linux CAP_FOWNER capability in C?
- Request Linux Capabilities During Runtime
- How to use CAP_SYS_ADMIN
- How to add Linux capability for CAP_IPC_OWNER in limits.conf?
- Linux Cap_Kill Help Needed
- /usr/bin/passwd and the CAP_CHOWN capability
- permanently drop root privileges on modern Linux
- How to properly drop capabilities?