Capabilities

Protection mechanism introduced in Kernel 2.2.

Allow to divide the traditional super-user privileges into distinct units.

  • That can be independently enabled and disabled.

Capabilities are a per-thread attribute.

  • Propagated through forks.

  • Changed explicitly by execs.

List of capabilities

Examples (small sample …)

  • CAP_CHOWN

    • Make arbitrary changes to file UIDs and GIDs.

  • CAP_DAC_OVERRIDE / CAP_DAC_READ_SEARCH

    • Bypass file permission/directory transversal checks.

  • CAP_KILL

    • Bypass permission checks for sending signals.

  • CAP_NET_ADMIN

    • Perform various network-related operations.

  • CAP_SYS_ADMIN

    • Overloaded general-purpose administration capability.

Capability management

Per-thread capabilities.

  • They define the privileges of the thread.

  • Divided into sets.

Sets.

  • Effective

  • Inheritable

  • Permitted

  • Bounding

  • Ambient

Thread capability sets

Effective

Set of capabilities used by the kernel to perform permission checks for the thread.

That is: these are the effective capabilities being used.

Inheritable

Set of capabilities preserved across an exec.

  • Remain inheritable for any program.

Are added to the permitted set when executing a program that has the corresponding bits set in the file inheritable set.

Permitted

Limiting superset.

  • For the effective capabilities that the thread may assume.

  • For the capabilities that may be added to the inheritable set.

    • Except for threads w/ CAP_SETPCAP in their effective set.

Once dropped, it can never be reacquired.

  • Except upon executing a file with special capabilities.

Bounding

Set used to limit the capabilities that are gained during an exec.

  • From a file with capabilities set.

Was previously a system-wide attribute.

  • Now is a per-thread attribute.

Ambient

Set of capabilities that are preserved across an exec of an unprivileged program.

  • No set-UID or set-GID.

  • No capabilities set.

Executing a privileged program will clear the ambient set.

Ambient capabilities must be both permitted and inheritable.

  • One cannot preserve something one cannot have.

  • One cannot preserve something one cannot inherit.

  • Automatically lowered if either of the corresponding permitted or inheritable capabilities is lowered.

Ambient capabilities are added to the permitted set and assigned to the effective set upon an exec.

Last updated