Linux Capabilites
Материал из noname.com.ua
Версия от 16:40, 12 января 2011; Sirmax (обсуждение | вклад)
POSIX Capabilities Content: 1. CAP_CHOWN Code Listing 1.1: CAP_CHOWN CAP_CHOWN In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this overrides the restriction of changing file ownership and group ownership. 2. CAP_DAC_OVERRIDE Code Listing 2.1: CAP_DAC_OVERRIDE CAP_DAC_OVERRIDE Override all DAC access, including ACL execute access if [_POSIX_ACL] is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. 3. CAP_DAC_READ_SEARCH Code Listing 3.1: CAP_DAC_READ_SEARCH CAP_DAC_READ_SEARCH Overrides all DAC restrictions, regarding read and search on files and directories, including ACL restrictions, if [_POSIX_ACL] is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. 4. CAP_FOWNER Code Listing 4.1: CAP_FOWNER CAP_FOWNER Overrides all restrictions about allowed operations on files, where file owner ID must be equal to the user ID, except where CAP_FSETID is applicable. It doesn't override MAC and DAC restrictions. 5. CAP_FSETID Code Listing 5.1: CAP_FSETID CAP_FSETID Overrides the following restrictions, that the effective user ID shall match the file owner ID, when setting the S_ISUID and S_ISGID bits on that file; that the effective group ID (or one of the supplementary group IDs) shall match the file owner ID when setting the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are cleared on successful return from chown(2) (not implemented). 6. CAP_FS_MASK Code Listing 6.1: CAP_FS_MASK CAP_FS_MASK Used to decide between falling back on the old suser() or fsuser(). 7. CAP_KILL Code Listing 7.1: CAP_KILL CAP_KILL Overrides the restriction, that the real or effective user ID of a process, sending a signal, must match the real or effective user ID of the process, receiving the signal. 8. CAP_SETGID Code Listing 8.1: CAP_SETGID CAP_SETGID Allows setgid(2) manipulation; Allows setgroups(2); Allows forged gids on socket credentials passing. 9. CAP_SETUID Code Listing 9.1: CAP_SETUID CAP_SETUID Allows set*uid(2) manipulation (including fsuid); Allows forged pids on socket credentials passing. 10. CAP_SETPCAP Code Listing 10.1: CAP_SETPCAP CAP_SETPCAP Transfer any capability in your permitted set to any pid, remove any capability in your permitted set from any pid. 11. CAP_LINUX_IMMUTABLE Code Listing 11.1: CAP_LINUX_IMMUTABLE CAP_LINUX_IMMUTABLE Allow modification of S_IMMUTABLE and S_APPEND file attributes. 12. CAP_NET_BIND_SERVICE Code Listing 12.1: CAP_NET_BIND_SERVICE CAP_NET_BIND_SERVICE Allows binding to TCP/UDP sockets below 1024; Allows binding to ATM VCIs below 32. 13. CAP_NET_BROADCAST Code Listing 13.1: CAP_NET_BROADCAST CAP_NET_BROADCAST Allow broadcasting, listen to multicast. 14. CAP_NET_ADMIN Code Listing 14.1: CAP_NET_ADMIN CAP_NET_ADMIN Allow interface configuration; Allow administration of IP firewall, masquerading and accounting; Allow setting debug option on sockets; Allow modification of routing tables; Allow setting arbitrary process / process group ownership on sockets; Allow binding to any address for transparent proxying; Allow setting TOS (type of service); Allow setting promiscuous mode; Allow clearing driver statistics; Allow multicasting; Allow read/write of devicespecific registers; Allow activation of ATM control sockets. 15. CAP_NET_RAW Code Listing 15.1: CAP_NET_RAW CAP_NET_RAW Allow use of RAW sockets; Allow use of PACKET sockets. 16. CAP_IPC_LOCK Code Listing 16.1: CAP_IPC_LOCK CAP_IPC_LOCK Allow locking of shared memory segments; Allow mlock and mlockall (which doesn't really have anything to do with IPC). 17. CAP_IPC_OWNER Code Listing 17.1: CAP_IPC_OWNER CAP_IPC_OWNER Override IPC ownership checks. 18. CAP_SYS_MODULE Code Listing 18.1: CAP_SYS_MODULE CAP_SYS_MODULE Insert and remove kernel modules modify kernel without limit; Modify cap_bset. 19. CAP_SYS_RAWIO Code Listing 19.1: CAP_SYS_RAWIO CAP_SYS_RAWIO Allow ioperm/iopl access; Allow sending USB messages to any device via /proc/bus/usb. 20. CAP_SYS_CHROOT Code Listing 20.1: CAP_SYS_CHROOT CAP_SYS_CHROOT Allow use of chroot(). 21. CAP_SYS_PTRACE Code Listing 21.1: CAP_SYS_PTRACE CAP_SYS_PTRACE Allow ptrace() of any process. 22. CAP_SYS_PACCT Code Listing 22.1: CAP_SYS_PACCT CAP_SYS_PACCT Allow configuration of process accounting. 23. CAP_SYS_ADMIN Code Listing 23.1: CAP_SYS_ADMIN CAP_SYS_ADMIN Allow configuration of the secure attention key; Allow administration of the random device; Allow examination and configuration of disk quotas; Allow configuring the kernel's syslog (printk behaviour); Allow setting the domainname; Allow setting the hostname; Allow calling bdflush(); Allow mount() and umount(), setting up new smb connection; Allow some autofs root ioctls; Allow nfsservctl; Allow VM86_REQUEST_IRQ; Allow to read/write pci config on alpha; Allow irix_prctl on mips (setstacksize); Allow flushing all cache on m68k (sys_cacheflush); Allow removing semaphores; Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores and shared memory; Allow locking/unlocking of shared memory segment; Allow turning swap on/off; Allow forged pids on socket credentials passing; Allow setting readahead and flushing buffers on block devices; Allow setting geometry in floppy driver; Allow turning DMA on/off in xd driver; Allow administration of md devices (mostly the above, but some extra ioctls); Allow tuning the ide driver; Allow access to the nvram device; Allow administration of apm_bios, serial and bttv (TV) device; Allow manufacturer commands in isdn CAPI support driver; Allow reading nonstandardized portions of pci configuration space; Allow DDI debug ioctl on sbpcd driver; Allow setting up serial ports; Allow sending raw qic117 commands; Allow enabling/disabling tagged queuing on SCSI controllers and sending arbitrary SCSI commands; Allow setting encryption key on loopback filesystem. 24. CAP_SYS_BOOT Code Listing 24.1: CAP_SYS_BOOT CAP_SYS_BOOT Allow use of reboot(). 25. CAP_SYS_NICE Code Listing 25.1: CAP_SYS_NICE CAP_SYS_NICE Allow raising priority and setting priority on other (different UID) processes; Allow use of FIFO and roundrobin (realtime) scheduling on own processes and setting the scheduling algorithm used by another process. 26. CAP_SYS_RESOURCE Code Listing 26.1: CAP_SYS_RESOURCE CAP_SYS_RESOURCE Override resource limits. Set resource limits; Override quota limits; Override reserved space on ext2 filesystem; Modify data journaling mode on ext3 filesystem (uses journaling resources); NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too; Override size restrictions on IPC message queues; Allow more than 64hz interrupts from the realtime clock; Override max number of consoles on console allocation; Override max number of keymaps. 27. CAP_SYS_TIME Code Listing 27.1: CAP_SYS_TIME CAP_SYS_TIME Allow manipulation of system clock; Allow irix_stime on mips; Allow setting the realtime clock. 28. CAP_SYS_TTY_CONFIG Code Listing 28.1: CAP_SYS_TTY_CONFIG CAP_SYS_TTY_CONFIG Allow configuration of tty devices; Allow vhangup() of tty. 29. CAP_MKNOD Code Listing 29.1: CAP_MKNOD CAP_MKNOD Allow the privileged aspects of mknod(). 30. CAP_LEASE Code Listing 30.1: CAP_LEASE CAP_LEASE Allow taking of leases on files.
С целью избавления системы от программ с suid-битом, можно использовать следующую инструкцию. Для привязки capabilities к исполняемому файлу используется утилита setcap из пакета libcap2-bin: sudo apt-get install libcap2-bin Для формирования списка setuid-root и setgid-root программ можно использовать следующие команды: find /bin /sbin /lib /usr/bin /usr/sbin /usr/lib -perm /4000 -user root find /bin /sbin /lib /usr/bin /usr/sbin /usr/lib -perm /2000 -group root Команды для замены setuid/setgid для базовых пакетов: coreutils chmod u-s /bin/su setap cap_setgid,cap_setuid+ep /bin/su dcron chmod u-s /usr/bin/crontab setcap cap_dac_override,cap_setgid+ep /usr/bin/crontab inetutils chmod u-s /usr/bin/rsh setcap cap_net_bind_service+ep /usr/bin/rsh chmod u-s /usr/bin/rcp setcap cap_net_bind_service+ep /usr/bin/rcp chmod u-s /usr/bin/rlogin setcap cap_net_bind_service+ep /usr/bin/rlogin iputils chmod u-s /bin/ping setcap cap_net_raw+ep /bin/ping chmod u-s /bin/ping6 setcap cap_net_raw+ep /bin/ping6 chmod u-s /bin/traceroute setcap cap_net_raw+ep /bin/traceroute chmod u-s /bin/traceroute6 setcap cap_net_raw+ep /bin/traceroute6 pam chmod u-s /sbin/unix_chkpwd setcap cap_dac_read_search+ep /sbin/unix_chkpwd shadow chmod u-s /usr/bin/chage setcap cap_dac_read_search+ep /usr/bin/chage chmod u-s /usr/bin/chfn setcap cap_chown,cap_setuid+ep /usr/bin/chfn chmod u-s /usr/bin/chsh setcap cap_chown,cap_setuid+ep /usr/bin/chsh chmod u-s /usr/bin/expiry setcap cap_dac_override,cap_setgid+ep /usr/bin/expiry chmod u-s /usr/bin/gpasswd setcap cap_chown,cap_dac_override,cap_setuid+ep /usr/bin/gpasswd chmod u-s /usr/bin/newgrp setcap cap_dac_override,cap_setgid+ep /usr/bin/newgrp chmod u-s /usr/bin/passwd setcap cap_chown,cap_dac_override,cap_fowner+ep /usr/bin/passwd xorg-xserver chmod u-s /usr/bin/Xorg setcap cap_chown,cap_dac_override,cap_sys_rawio,cap_sys_admin+ep /usr/bin/Xorg screen - обязательно требует setuid для выполнения определенных проверок util-linux-ng - не рекомендуется использовать данный пакет с capabilities, так как в реализации команд mount и umount присутствуют определенные проверки, которые действуют только с setuid и пропускаются с capabilities, что дает возможность пользователям монтировать файловые системы к которым они не имеют доступа. Подробнее об опасностях, которые сулит перевод программы с setuid на capabilities без проведения аудита кода, можно прочитать [[http://www.opennet.ru/openforum/vsluhforumID3/71880.html#13 здесь]]. URL: https://wiki.archlinux.org/index.php/Using_File_Capabilities... Обсуждается: http://www.opennet.ru/tips/info/2469.shtml