Geek Answers Handbook

How to carry out the process while maintaining capabilities, despite the lack of capabilities based on the file system?

I want the system to be used without setuid , "+ p" files and generally without things that are disabled when I set PR_SET_NO_NEW_PRIVS .

With this approach ( init sets PR_SET_NO_NEW_PRIVS and raising the capabilities based on the file system is no longer possible), you cannot "replenish" your capabilities and only have to be careful not to "splash" them.

How can execve execute any other process without spattering any provided features (for example, if the new program file is setcap =ei )? Just "I trust this new process, as far as I trust myself." For example, an opportunity is provided to the user (and the user wants to use it in any program that he runs) ...

Can I completely create the file system =ei ? I want the file system to simply not interfere with the scheme, unable to provide or revoke features; controlling everything through parental> children's things.

+4
source share
3 answers

I am not saying that I recommend this for what you are doing, but here it is.

Extracted from the manual, some changes have occurred. Accordingly: fork does not change the features. And now in the Linux 4.3 kernel the surrounding set is added, it seems that this is what you are trying to do.

  Ambient (since Linux 4.3): This is a set of capabilities that are preserved across an execve(2) of a program that is not privileged. The ambient capability set obeys the invariant that no capability can ever be ambient if it is not both permitted and inheritable. The ambient capability set can be directly modified using prctl(2). Ambient capabilities are automatically lowered if either of the corresponding permitted or inheritable capabilities is lowered. Executing a program that changes UID or GID due to the set- user-ID or set-group-ID bits or executing a program that has any file capabilities set will clear the ambient set. Ambient capabilities are added to the permitted set and assigned to the effective set when execve(2) is called. A child created via fork(2) inherits copies of its parent's capability sets. See below for a discussion of the treatment of capabilities during execve(2). Transformation of capabilities during execve() During an execve(2), the kernel calculates the new capabilities of the process using the following algorithm: P'(ambient) = (file is privileged) ? 0 : P(ambient) P'(permitted) = (P(inheritable) & F(inheritable)) | (F(permitted) & cap_bset) | P'(ambient) P'(effective) = F(effective) ? P'(permitted) : P'(ambient) P'(inheritable) = P(inheritable) [ie, unchanged] where: P denotes the value of a thread capability set before the execve(2) P' denotes the value of a thread capability set after the execve(2) F denotes a file capability set cap_bset is the value of the capability bounding set (described below). A privileged file is one that has capabilities or has the set-user-ID or set-group-ID bit set.
+3
source

There is currently no easy way to do this if you are linking to the features man page:

 During an execve(2), the kernel calculates the new capabilities of the process using the following algorithm: P'(permitted) = (P(inheritable) & F(inheritable)) | (F(permitted) & cap_bset) P'(effective) = F(effective) ? P'(permitted) : 0 P'(inheritable) = P(inheritable) [ie, unchanged] where: P denotes the value of a thread capability set before the execve(2) P' denotes the value of a capability set after the execve(2) F denotes a file capability set cap_bset is the value of the capability bounding set

If the file you want to execute does not have the fP bit set, or if its fI bits are not set, your process will not have allowed and therefore effective capabilities.

Configuring the entire permitted file system and inheritance bits will be technically possible, but this does not make much sense, since it will greatly reduce security in the system (change: and, as you mentioned, this will not work for new executable files).

You can really provide some features to the user using pam_cap, but you cannot allow them to execute any file that they just compiled using this. Opportunities are created to provide authority to programs, not users, you can read Hallyn paper :

A key understanding is the observation that programs, not people, exercise privilege. That is, everything that is done on the computer is carried out through agent-programs - and only if these programs know what to do with the privilege, they can be trusted to use it.

See also the POSIX 1003.1e project , which defines the capabilities of POSIX, page 310:

It is also impractical to establish a chain of processes (a sequence of programs within a single process) a set of capabilities that remains fixed and active throughout the life of this chain. [...] This is the application of the principle of least privilege, and this applies equally to users and processes.

Someone has asked for what you want to do recently as the Linux kernel mailing list (dec. 2012), and there are some very interesting answers. Some people claim that the ability to delete files in the inheritance rules in exec will lead to some security issues and that the capabilities are not intended for such a function, although it doesn't explain what kind of security problem it introduces: /

The only way to do this at the moment is to change the inheritance method inherited in the Linux kernel (2 files to modify, I successfully tested it on the 3.7 kernel), but it is unclear whether this is protected or not. above.

In older kernels (before 2.6.33), it was possible to compile without the possibility of a file ( CONFIG_SECURITY_FILE_CAPABILITIES ), but I doubt that working with such an old kernel is an option for you.

+2
source

I think (my understanding) that the best way to use the features is:

  • For programs that need features that are reliable, including reliable ones rather than leakages: for example, a package that sniffs part of a wired shark, a web server that should listen on port 80.
    • new programs, available features: allowed.
    • outdated programs, not feature-aware: set permissible and effective
  • For programs that will take advantage of the leak capabilities, and have code that could (sometimes) use the opportunity: set inherited
    • eg. for chmod set inherit CAP_FOWNER, if the user needs superpowers (usually they are root), then they need to use setpriv (or the equivalent, this could be converted to sudo ), otherwise it will work in unprivileged mode.
  • When a process needs to be forked out and some features shared, then and only then use ambient. Probably the same executable; if it was different, then this new one would allow or inherit the set in the file. [Edit: I just realized that you don’t need ambient if you don’t perform. If I think of a use case for ambient in a well-tuned system, I will add it here. Ambient can be used as a transition mechanism when the inherited one is not installed on files that can use it.]

Ambient Use:

  • In a system where files do not have the correct capabilities. (transitional method).
  • For shell scripts that cannot have capabilities (because they cannot have setuid), except for systems that are patched and then allow setuid for scripts.
  • Add more here.
0
source

More articles:


All Articles