Linux Capabilites: различия между версиями

Материал из noname.com.ua
Перейти к навигацииПерейти к поиску
 
(не показана 1 промежуточная версия этого же участника)
Строка 1: Строка 1:
  +
[[Категория:Linux]]
  +
 
<PRE>
 
<PRE>
 
POSIX Capabilities
 
POSIX Capabilities
Строка 288: Строка 290:
 
CAP_LEASE
 
CAP_LEASE
 
Allow taking of leases on files.
 
Allow taking of leases on files.
  +
</PRE>
  +
  +
  +
<PRE>
  +
С целью избавления системы от программ с suid-битом, можно использовать следующую инструкцию.
  +
Для привязки capabilities к исполняемому файлу используется утилита setcap из пакета libcap2-bin:
  +
  +
sudo apt-get install libcap2-bin
  +
  +
Для формирования списка setuid-root и setgid-root программ можно использовать следующие команды:
  +
  +
find /bin /sbin /lib /usr/bin /usr/sbin /usr/lib -perm /4000 -user root
  +
find /bin /sbin /lib /usr/bin /usr/sbin /usr/lib -perm /2000 -group root
  +
  +
Команды для замены setuid/setgid для базовых пакетов:
  +
  +
coreutils
  +
  +
chmod u-s /bin/su
  +
setap cap_setgid,cap_setuid+ep /bin/su
  +
  +
dcron
  +
  +
chmod u-s /usr/bin/crontab
  +
setcap cap_dac_override,cap_setgid+ep /usr/bin/crontab
  +
  +
inetutils
  +
  +
chmod u-s /usr/bin/rsh
  +
setcap cap_net_bind_service+ep /usr/bin/rsh
  +
  +
chmod u-s /usr/bin/rcp
  +
setcap cap_net_bind_service+ep /usr/bin/rcp
  +
  +
chmod u-s /usr/bin/rlogin
  +
setcap cap_net_bind_service+ep /usr/bin/rlogin
  +
  +
iputils
  +
  +
chmod u-s /bin/ping
  +
setcap cap_net_raw+ep /bin/ping
  +
  +
chmod u-s /bin/ping6
  +
setcap cap_net_raw+ep /bin/ping6
  +
  +
chmod u-s /bin/traceroute
  +
setcap cap_net_raw+ep /bin/traceroute
  +
  +
chmod u-s /bin/traceroute6
  +
setcap cap_net_raw+ep /bin/traceroute6
  +
  +
pam
  +
  +
chmod u-s /sbin/unix_chkpwd
  +
setcap cap_dac_read_search+ep /sbin/unix_chkpwd
  +
  +
shadow
  +
  +
chmod u-s /usr/bin/chage
  +
setcap cap_dac_read_search+ep /usr/bin/chage
  +
  +
chmod u-s /usr/bin/chfn
  +
setcap cap_chown,cap_setuid+ep /usr/bin/chfn
  +
  +
chmod u-s /usr/bin/chsh
  +
setcap cap_chown,cap_setuid+ep /usr/bin/chsh
  +
  +
chmod u-s /usr/bin/expiry
  +
setcap cap_dac_override,cap_setgid+ep /usr/bin/expiry
  +
  +
chmod u-s /usr/bin/gpasswd
  +
setcap cap_chown,cap_dac_override,cap_setuid+ep /usr/bin/gpasswd
  +
  +
chmod u-s /usr/bin/newgrp
  +
setcap cap_dac_override,cap_setgid+ep /usr/bin/newgrp
  +
  +
chmod u-s /usr/bin/passwd
  +
setcap cap_chown,cap_dac_override,cap_fowner+ep /usr/bin/passwd
  +
  +
xorg-xserver
  +
  +
chmod u-s /usr/bin/Xorg
  +
setcap cap_chown,cap_dac_override,cap_sys_rawio,cap_sys_admin+ep /usr/bin/Xorg
  +
  +
  +
screen - обязательно требует setuid для выполнения определенных проверок
  +
  +
util-linux-ng - не рекомендуется использовать данный пакет с capabilities, так как в реализации команд mount и umount присутствуют определенные проверки, которые действуют только с setuid и пропускаются с capabilities, что дает возможность пользователям монтировать файловые системы к которым они не имеют доступа.
  +
Подробнее об опасностях, которые сулит перевод программы с setuid на capabilities без проведения аудита кода, можно прочитать [[http://www.opennet.ru/openforum/vsluhforumID3/71880.html#13 здесь]].
  +
  +
URL: https://wiki.archlinux.org/index.php/Using_File_Capabilities...
  +
Обсуждается: http://www.opennet.ru/tips/info/2469.shtml
 
</PRE>
 
</PRE>

Текущая версия на 14:09, 15 июля 2011


POSIX Capabilities
Content:

1.  CAP_CHOWN

Code Listing 1.1: CAP_CHOWN

  CAP_CHOWN
	In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, 
	this overrides the restriction of changing file ownership and 
	group ownership.

2.  CAP_DAC_OVERRIDE

Code Listing 2.1: CAP_DAC_OVERRIDE

  CAP_DAC_OVERRIDE
	Override all DAC access, including ACL execute access 
	if [_POSIX_ACL] is defined. 
	Excluding DAC access covered by CAP_LINUX_IMMUTABLE.

3.  CAP_DAC_READ_SEARCH

Code Listing 3.1: CAP_DAC_READ_SEARCH

  CAP_DAC_READ_SEARCH	
	Overrides all DAC restrictions, regarding read and search on files 
	and directories, including ACL restrictions, if [_POSIX_ACL] is 
	defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE.

4.  CAP_FOWNER

Code Listing 4.1: CAP_FOWNER

  CAP_FOWNER
	Overrides all restrictions about allowed operations on files, where 
	file owner ID must be equal to the user ID, except where CAP_FSETID 
	is applicable. It doesn't override MAC and DAC restrictions.

5.  CAP_FSETID

Code Listing 5.1: CAP_FSETID

  CAP_FSETID
	Overrides the following restrictions, that the effective user ID shall
	match the file owner ID, when setting the S_ISUID and S_ISGID bits on 
	that file; that the effective group ID (or one of the supplementary 
	group IDs) shall match the file owner ID when setting the S_ISGID bit 
	on that file; that the S_ISUID and S_ISGID bits are cleared on 
	successful return from chown(2) (not implemented).

6.  CAP_FS_MASK

Code Listing 6.1: CAP_FS_MASK

  CAP_FS_MASK
	Used to decide between falling back on the old suser() or fsuser().

7.  CAP_KILL

Code Listing 7.1: CAP_KILL

  CAP_KILL
	Overrides the restriction, that the real or effective user ID of a process,
	sending a signal, must match the real or effective user ID of the process,
	receiving the signal.

8.  CAP_SETGID

Code Listing 8.1: CAP_SETGID

  CAP_SETGID
	Allows setgid(2) manipulation;
	Allows setgroups(2);
	Allows forged gids on socket credentials passing.

9.  CAP_SETUID

Code Listing 9.1: CAP_SETUID

  CAP_SETUID
	Allows set*uid(2) manipulation (including fsuid);
	Allows forged pids on socket credentials passing.

10.  CAP_SETPCAP

Code Listing 10.1: CAP_SETPCAP

  CAP_SETPCAP
	Transfer any capability in your permitted set to any pid, remove any capability in your permitted set from any pid.

11.  CAP_LINUX_IMMUTABLE

Code Listing 11.1: CAP_LINUX_IMMUTABLE

  CAP_LINUX_IMMUTABLE
	Allow modification of S_IMMUTABLE and S_APPEND file attributes.

12.  CAP_NET_BIND_SERVICE

Code Listing 12.1: CAP_NET_BIND_SERVICE

  CAP_NET_BIND_SERVICE
	Allows binding to TCP/UDP sockets below 1024;
	Allows binding to ATM VCIs below 32.

13.  CAP_NET_BROADCAST

Code Listing 13.1: CAP_NET_BROADCAST

  CAP_NET_BROADCAST
	Allow broadcasting, listen to multicast.

14.  CAP_NET_ADMIN

Code Listing 14.1: CAP_NET_ADMIN

  CAP_NET_ADMIN
	Allow interface configuration;
	Allow administration of IP firewall, masquerading and accounting;
	Allow setting debug option on sockets;
	Allow modification of routing tables;
	Allow setting arbitrary process / process group ownership on sockets;
	Allow binding to any address for transparent proxying;
	Allow setting TOS (type of service);
	Allow setting promiscuous mode;
	Allow clearing driver statistics;
	Allow multicasting;
	Allow read/write of devicespecific registers;
	Allow activation of ATM control sockets.

15.  CAP_NET_RAW

Code Listing 15.1: CAP_NET_RAW

  CAP_NET_RAW
	Allow use of RAW sockets;
	Allow use of PACKET sockets.

16.  CAP_IPC_LOCK

Code Listing 16.1: CAP_IPC_LOCK

  CAP_IPC_LOCK
	Allow locking of shared memory segments;
	Allow mlock and mlockall (which doesn't really have anything to do with IPC).

17.  CAP_IPC_OWNER

Code Listing 17.1: CAP_IPC_OWNER

  CAP_IPC_OWNER
	Override IPC ownership checks.

18.  CAP_SYS_MODULE

Code Listing 18.1: CAP_SYS_MODULE

  CAP_SYS_MODULE
	Insert and remove kernel modules  modify kernel without limit;
	Modify cap_bset.

19.  CAP_SYS_RAWIO

Code Listing 19.1: CAP_SYS_RAWIO

  CAP_SYS_RAWIO
	Allow ioperm/iopl access;
	Allow sending USB messages to any device via /proc/bus/usb.

20.  CAP_SYS_CHROOT

Code Listing 20.1: CAP_SYS_CHROOT

  CAP_SYS_CHROOT
	Allow use of chroot().

21.  CAP_SYS_PTRACE

Code Listing 21.1: CAP_SYS_PTRACE

  CAP_SYS_PTRACE
	Allow ptrace() of any process.

22.  CAP_SYS_PACCT

Code Listing 22.1: CAP_SYS_PACCT

  CAP_SYS_PACCT
	Allow configuration of process accounting.

23.  CAP_SYS_ADMIN

Code Listing 23.1: CAP_SYS_ADMIN

  CAP_SYS_ADMIN
	Allow configuration of the secure attention key;
	Allow administration of the random device;
	Allow examination and configuration of disk quotas;
	Allow configuring the kernel's syslog (printk behaviour);
	Allow setting the domainname;
	Allow setting the hostname;
	Allow calling bdflush();
	Allow mount() and umount(), setting up new smb connection;
	Allow some autofs root ioctls;
	Allow nfsservctl; Allow VM86_REQUEST_IRQ;
	Allow to read/write pci config on alpha; Allow irix_prctl on mips (setstacksize);
	Allow flushing all cache on m68k (sys_cacheflush);
	Allow removing semaphores; Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores and shared memory;
	Allow locking/unlocking of shared memory segment;
	Allow turning swap on/off;
	Allow forged pids on socket credentials passing;
	Allow setting readahead and flushing buffers on block devices;
	Allow setting geometry in floppy driver;
	Allow turning DMA on/off in xd driver;
	Allow administration of md devices (mostly the above, but some extra ioctls);
	Allow tuning the ide driver;
	Allow access to the nvram device;
	Allow administration of apm_bios, serial and bttv (TV) device;
	Allow manufacturer commands in isdn CAPI support driver;
	Allow reading nonstandardized portions of pci configuration space;
	Allow DDI debug ioctl on sbpcd driver;
	Allow setting up serial ports;
	Allow sending raw qic117 commands;
	Allow enabling/disabling tagged queuing on SCSI controllers and sending arbitrary SCSI commands;
	Allow setting encryption key on loopback filesystem.

24.  CAP_SYS_BOOT

Code Listing 24.1: CAP_SYS_BOOT

  CAP_SYS_BOOT
	Allow use of reboot().

25.  CAP_SYS_NICE

Code Listing 25.1: CAP_SYS_NICE

  CAP_SYS_NICE
	Allow raising priority and setting priority on other (different UID) processes;
	Allow use of FIFO and roundrobin (realtime) scheduling on own processes and setting 
	the scheduling algorithm used by another process.

26.  CAP_SYS_RESOURCE

Code Listing 26.1: CAP_SYS_RESOURCE

  CAP_SYS_RESOURCE 
	Override resource limits. Set resource limits;
	Override quota limits;
	Override reserved space on ext2 filesystem;
	Modify data journaling mode on ext3 filesystem 
	(uses journaling resources); NOTE: ext2 honors fsuid when checking for
	resource overrides, so you can override using fsuid too;
	Override size restrictions on IPC message queues;
	Allow more than 64hz interrupts from the realtime clock;
	Override max number of consoles on console allocation;
	Override max number of keymaps.

27.  CAP_SYS_TIME

Code Listing 27.1: CAP_SYS_TIME

  CAP_SYS_TIME
	Allow manipulation of system clock;
	Allow irix_stime on mips;
	Allow setting the realtime clock.

28.  CAP_SYS_TTY_CONFIG

Code Listing 28.1: CAP_SYS_TTY_CONFIG

  CAP_SYS_TTY_CONFIG
	Allow configuration of tty devices; Allow vhangup() of tty.

29.  CAP_MKNOD

Code Listing 29.1: CAP_MKNOD

  CAP_MKNOD
	Allow the privileged aspects of mknod().

30.  CAP_LEASE

Code Listing 30.1: CAP_LEASE

  CAP_LEASE
	Allow taking of leases on files.


С целью избавления системы от программ с suid-битом, можно использовать следующую инструкцию.
Для привязки capabilities к исполняемому файлу используется утилита setcap из пакета libcap2-bin:

   sudo apt-get install libcap2-bin

Для формирования списка setuid-root и setgid-root программ можно использовать следующие команды:

   find /bin /sbin /lib /usr/bin /usr/sbin /usr/lib -perm /4000 -user root
   find /bin /sbin /lib /usr/bin /usr/sbin /usr/lib -perm /2000 -group root

Команды для замены setuid/setgid для базовых пакетов:

coreutils

   chmod u-s /bin/su
   setap cap_setgid,cap_setuid+ep /bin/su

dcron

   chmod u-s /usr/bin/crontab
   setcap cap_dac_override,cap_setgid+ep /usr/bin/crontab

inetutils

   chmod u-s /usr/bin/rsh
   setcap cap_net_bind_service+ep /usr/bin/rsh

   chmod u-s /usr/bin/rcp
   setcap cap_net_bind_service+ep /usr/bin/rcp

   chmod u-s /usr/bin/rlogin
   setcap cap_net_bind_service+ep /usr/bin/rlogin

iputils

   chmod u-s /bin/ping
   setcap cap_net_raw+ep /bin/ping

   chmod u-s /bin/ping6
   setcap cap_net_raw+ep /bin/ping6

   chmod u-s /bin/traceroute
   setcap cap_net_raw+ep /bin/traceroute

   chmod u-s /bin/traceroute6
   setcap cap_net_raw+ep /bin/traceroute6

pam

   chmod u-s /sbin/unix_chkpwd
   setcap cap_dac_read_search+ep /sbin/unix_chkpwd

shadow

   chmod u-s /usr/bin/chage
   setcap cap_dac_read_search+ep /usr/bin/chage

   chmod u-s /usr/bin/chfn
   setcap cap_chown,cap_setuid+ep /usr/bin/chfn

   chmod u-s /usr/bin/chsh
   setcap cap_chown,cap_setuid+ep /usr/bin/chsh

   chmod u-s /usr/bin/expiry
   setcap cap_dac_override,cap_setgid+ep /usr/bin/expiry

   chmod u-s /usr/bin/gpasswd
   setcap cap_chown,cap_dac_override,cap_setuid+ep /usr/bin/gpasswd

   chmod u-s /usr/bin/newgrp
   setcap cap_dac_override,cap_setgid+ep /usr/bin/newgrp

   chmod u-s /usr/bin/passwd
   setcap cap_chown,cap_dac_override,cap_fowner+ep /usr/bin/passwd

xorg-xserver

   chmod u-s /usr/bin/Xorg
   setcap cap_chown,cap_dac_override,cap_sys_rawio,cap_sys_admin+ep /usr/bin/Xorg


screen - обязательно требует setuid для выполнения определенных проверок

util-linux-ng - не рекомендуется использовать данный пакет с capabilities, так как в реализации команд mount и umount присутствуют определенные проверки, которые действуют только с setuid и пропускаются с  capabilities, что дает возможность пользователям монтировать файловые системы к которым они не имеют доступа.
Подробнее об опасностях, которые сулит перевод программы с setuid на capabilities без проведения аудита кода, можно прочитать [[http://www.opennet.ru/openforum/vsluhforumID3/71880.html#13 здесь]].

URL: https://wiki.archlinux.org/index.php/Using_File_Capabilities...
Обсуждается: http://www.opennet.ru/tips/info/2469.shtml