Linux Capabilities: Difference between revisions
(Created page with "=External= * https://man7.org/linux/man-pages/man7/capabilities.7.html =Internal= =Overview= Linux (or kernel) capabilities") |
|||
| (22 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
=External= | =External= | ||
* https://man7.org/linux/man-pages/man7/capabilities.7.html | * https://man7.org/linux/man-pages/man7/capabilities.7.html | ||
* https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/ | |||
* https://docs.docker.com/engine/security/security/#linux-kernel-capabilities | |||
* https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h | |||
=Internal= | =Internal= | ||
* [[Linux Security#Subjects|Linux Security]] | |||
* [[Linux Security Concepts]] | |||
* [[Kubernetes_Pod_and_Container_Security#Linux_.28Kernel.29_Capabilities|Kubernetes Pod and Container Security]] | |||
=Overview= | =Overview= | ||
Linux (or kernel) capabilities | Traditional UNIX implementations distinguish two categories of processes for the purpose of performing permission checks: [[Linux_Security_Concepts#Privileged_Process|privileged processes]] and [[Linux_Security_Concepts#Unprivileged_Process|unprivileged processes]]. A privileged process is a process with its effective user ID is 0, referred to as superuser or root. An unprivileged process is a process with a non-zero its effective user ID. Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process' credentials: [[Linux_Security_Concepts#Effective_User_ID|effective UID]], [[Linux_Security_Concepts#Effective_Group_ID|effective GID]] and [[Linux_Security_Concepts#Supplementary_Group_List|supplementary group list]]. | ||
Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as '''Linux (or kernel) capabilities''', which can be independently enabled and disabled. Instead of making a process privileged and giving it unlimited permissions, a much safer method from a security perspective is to give it access only to the kernel features it really requires. Capabilities are a per-thread attribute. | |||
=Display Capabilities for a Process= | |||
Get the PID and then: | |||
<syntaxhighlight lang='text'> | |||
cd /proc/<pid> | |||
cat status | |||
... | |||
CapInh: 00000000a80425fb | |||
CapPrm: 00000000a80425fb | |||
CapEff: 00000000a80425fb | |||
CapBnd: 00000000a80425fb | |||
CapAmb: 0000000000000000 | |||
... | |||
</syntaxhighlight> | |||
=Common Capabilities= | |||
==<tt>CAP_SYS_TIME</tt>== | |||
Bit 25. | |||
==<tt>CAP_CHOWN</tt>== | |||
==<tt>CAP_SYS_ADMIN</tt>== | |||
Allows a range of administrative operations. | |||
==<tt>CAP_SYS_MODULE</tt>== | |||
Allows loading and unloading of Linux kernel modules. | |||
==<tt>CAP_NET_ADMIN</tt>== | |||
Bit 12. | |||
Latest revision as of 02:59, 5 March 2021
External
- https://man7.org/linux/man-pages/man7/capabilities.7.html
- https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/
- https://docs.docker.com/engine/security/security/#linux-kernel-capabilities
- https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h
Internal
Overview
Traditional UNIX implementations distinguish two categories of processes for the purpose of performing permission checks: privileged processes and unprivileged processes. A privileged process is a process with its effective user ID is 0, referred to as superuser or root. An unprivileged process is a process with a non-zero its effective user ID. Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process' credentials: effective UID, effective GID and supplementary group list.
Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as Linux (or kernel) capabilities, which can be independently enabled and disabled. Instead of making a process privileged and giving it unlimited permissions, a much safer method from a security perspective is to give it access only to the kernel features it really requires. Capabilities are a per-thread attribute.
Display Capabilities for a Process
Get the PID and then:
cd /proc/<pid>
cat status
...
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
...
Common Capabilities
CAP_SYS_TIME
Bit 25.
CAP_CHOWN
CAP_SYS_ADMIN
Allows a range of administrative operations.
CAP_SYS_MODULE
Allows loading and unloading of Linux kernel modules.
CAP_NET_ADMIN
Bit 12.