Capabilities
Protection mechanism introduced in Kernel 2.2.
Allow to divide the traditional super-user privileges into distinct units.
That can be independently enabled and disabled.
Capabilities are a per-thread attribute.
Propagated through forks.
Changed explicitly by execs.
List of capabilities
Examples (small sample …)
CAP_CHOWN
Make arbitrary changes to file UIDs and GIDs.
CAP_DAC_OVERRIDE / CAP_DAC_READ_SEARCH
Bypass file permission/directory transversal checks.
CAP_KILL
Bypass permission checks for sending signals.
CAP_NET_ADMIN
Perform various network-related operations.
CAP_SYS_ADMIN
Overloaded general-purpose administration capability.
Capability management
Per-thread capabilities.
They define the privileges of the thread.
Divided into sets.
Sets.
Effective
Inheritable
Permitted
Bounding
Ambient
Thread capability sets
Effective
Set of capabilities used by the kernel to perform permission checks for the thread.
That is: these are the effective capabilities being used.
Inheritable
Set of capabilities preserved across an exec.
Remain inheritable for any program.
Are added to the permitted set when executing a program that has the corresponding bits set in the file inheritable set.
Permitted
Limiting superset.
For the effective capabilities that the thread may assume.
For the capabilities that may be added to the inheritable set.
Except for threads w/ CAP_SETPCAP in their effective set.
Once dropped, it can never be reacquired.
Except upon executing a file with special capabilities.
Bounding
Set used to limit the capabilities that are gained during an exec.
From a file with capabilities set.
Was previously a system-wide attribute.
Now is a per-thread attribute.
Ambient
Set of capabilities that are preserved across an exec of an unprivileged program.
No set-UID or set-GID.
No capabilities set.
Executing a privileged program will clear the ambient set.
Ambient capabilities must be both permitted and inheritable.
One cannot preserve something one cannot have.
One cannot preserve something one cannot inherit.
Automatically lowered if either of the corresponding permitted or inheritable capabilities is lowered.
Ambient capabilities are added to the permitted set and assigned to the effective set upon an exec.
Last updated