Reputation: 1446
Is cap_dac_override a superset of cap_dac_read_search?
I'm working on limiting capabilities of an existing, complex application and I have been searching for a while for a credible source proving that
permissions included in cap_dac_override are a superset of cap_dac_read_search.
It seems logical that it is indeed the case, as per capabilities(7):
CAP_DAC_OVERRIDE
* Bypass file read, write, and execute permission checks.CAP_DAC_READ_SEARCH
* Bypass file read permission checks and directory read and execute permission checks;
* invoke open_by_handle_at(2);
* use the linkat(2) AT_EMPTY_PATH flag to create a link to a file referred to by a file descriptor.
Also, my experiments with capability checks tracer confirm that cap_dac_override should suffice. cap_dac_read_search appears to be checked before cap_dac_override every single time a read access is performed.
I've also found following post on grsecurity forums, which unfortunetly concerns only /proc:
The way the upstream kernel works is by first checking for CAP_DAC_OVERRIDE and then for CAP_DAC_READ_SEARCH for this case.
I'm still uncertain whether is it completely safe to omit cap_dac_read_search if I want to grant my application with a complete read access to the whole filesystem. I'm fully aware that cap_dac_override additionally grants write permissions, and I want that.
Would it be possible that somwhere in the kernel there is a place where only a check for cap_dac_read_search is made and not for cap_dac_override?
Should I include both these capabilities just to be on the safe side or is cap_dac_read_search completely redundant in this case?
Upvotes: 8
Views: 3397
Answers (2)
Reputation: 6604
No it is not. CAP_DAC_OVERRIDE only allows to ignore the permission bits of files. CAP_DAC_READ_SEARCH allows to ignore the read permission bits and does also allow to execute the system call open_by_handle_at which can be used to read outside a container chroot.
See https://github.com/gabrtv/shocker for practical application.
If your application only needs full access to the filesystem then CAP_DAC_OVERRIDE as you have already concluded.
Upvotes: 5
Reputation: 1446
After a bit of additional verification and practical tests it seems that it is indeed the case that cap_dac_override is a superset of cap_dac_read_search.
When cap_dac_read_search was removed from the application in question, not a single operation failed because of permissions being denied.
Upvotes: 0
Related Questions
- What is the scope of pr_cont in linux kernel?
- Why can't you drop a capability from the bounding set without CAP_SETPCAP?
- How to use CAP_SYS_ADMIN
- What are the "struct file_operations" arguments?
- What does it means to have a capability only in the inheritable set?
- Enabling "AllowAddNew" and/or "AllowEdit" on selector for custom DAC
- Linux Device Driver Access Control
- Do Linux capabilities partition the possible privileged operations?
- Regarding .owner field of struct file_operations
- How do userspace programs interact with kernel moduels?