|
libcap-ng is a library designed to make programming with posix capabilities much easier than the traditional libcap library. It includes utilities that can analyse all currently running applications and print out any capabilities and whether or not it has an open ended bounding set. An open bounding set without the securebits "NOROOT" flag will allow full capabilities escalation for apps retaining uid 0 simply by calling execve.<br /><br />The included utilities are designed to let admins and developers spot apps from various ways that may be running with too much privilege. For example, any investigation should start with network facing apps since they would be prime targets for intrusion. The netcap program will check all running apps and display the results. Sample output from netcap:<br /><br />ppid pid acct command type port capabilities<br />1 2295 root nasd tcp 8000 full<br />2323 2383 root dnsmasq tcp 53 net_admin, net_raw +<br />1 2286 root sshd tcp 22 full<br />1 2365 root cupsd tcp 631 full<br />1 2286 root sshd tcp6 22 full<br />1 2365 root cupsd tcp6 631 full<br />2323 2383 root dnsmasq udp 53 net_admin, net_raw +<br />2323 2383 root dnsmasq udp 67 net_admin, net_raw +<br />1 2365 root cupsd udp 631 full<br /><br />But assuming someone was successful in getting into your system and only has partial capabilities, what might be the next targets to gain full privs? The pscap program will show you all apps currently running on the system that have privileges. Ideally, all apps running as uid 0 should drop privileges. Some can't for good reasons as explained later. But many can.<br /><br />If for some reason you feel that its too hard or app developers are unwilling to change, the admin can set file based capabilities, using filecap, if the file system has extended attributes and the kernel supports file system based capabilities. It can also search out files on your system that have filesystem based capabilities.<br /><br />Developer comments<br /><br />I think one of the intentions of file system based capabilities was to allow admins to take control of their security risk profile and drop privileges of apps on their system independent of what application developers do. I suspect that the low rate of adoption for dropping privileges is because the old API made it tedious to do any task and therefore app developers just don't use it. How many apps have you seen that says you need to be root to use this program? This is because its just 1 line of code to check if you are the root user. The programmer probably knew that a specific capability was needed, but chose to take the shortcut instead. I wanted to change that by making an easy to use API. Its easier to accept a 3-4 line patch than one that adds some 20 lines of code.<br /><br />As an application developer, there are probabaly 6 use cases that you are interested in: drop all capabilities, keep one capability, keep several capabilities, check if you have any capabilities at all, check for certain capabilities, and retain capabilities across a uid change. I'll show how easy it is to do each of these below using libcap-ng (and now in python):<br /><br />1) Drop all capabilities<br /> capng_clear(CAPNG_SELECT_BOTH);<br /> capng_apply(CAPNG_SELECT_BOTH);<br /><br />2) Keep one capability<br /> capng_clear(CAPNG_SELECT_BOTH);<br /> capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_CHOWN);<br /> capng_apply(CAPNG_SELECT_BOTH);<br /><br />3) Keep several capabilities<br /> capng_clear(CAPNG_SELECT_BOTH);<br /> capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETUID, CAP_SETGID, -1);<br /> capng_apply(CAPNG_SELECT_BOTH);<br /><br />4) Check if you have any capabilities<br /> if (capng_have_capabilities(CAPNG_SELECT_CAPS) > CAPNG_NONE)<br /> do_something();<br /><br />5) Check for certain capabilities<br /> if (capng_have_capability(CAPNG_EFFECTIVE, CAP_CHOWN))<br /> do_something();<br /><br />6) Retain capabilities across a uid change<br /> capng_clear(CAPNG_SELECT_BOTH);<br /> capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_CHOWN);<br /> if (capng_change_id(99, 99, CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING))<br /> error();<br /><br />Now, isn't that a lot simpler? Note that the last example takes about 60 lines of code using the older capabilities library. As of the 0.6 release, there is a m4 macro file to help adding libcap-ng to your autotools config system. In configure.ac, add LIBCAP_NG_PATH. Then in Makefile.am locate the apps that link to libcap-ng, add $(CAPNG_LDADD) to their _LDADD entries. And lastly, surround the optional capabilities code with #ifdef HAVE_LIBCAP_NG.<br /><br />One aspect of this library that makes it more complete is that it treats the bounding set as if it were another kind of capability set. The same functions that take effective, permitted, or inheritable also take bounding_set. But sometimes you don't want to touch the bounding set, so the API allows you to select between the traditional capabilities, the bounding set, or both. One thing to note, if you want to change the bounding set, you must have SETPCAP capability. You can drop traditional capabilities at any time even without the SETPCAP capability. Read more about this in the "capabilities (7)" man page.
| Requirements: |
No special requirements
|
| Platforms: |
*nix, Linux |
| Keyword: |
Based, Bounding, Cap Chown, Capabilities, Capability, Capng Clearcapng Select, Capng Effective Capng Permitted, Change, Check, Cupsd, Developers, Dnsmasq, Libcap, Libcapng, Library, Net Admin, Net Raw, Ng, Privileges, Running, System |
| Users rating: |
0/10 |
|
Windows Software
Albina Merfyn - I find this to be really easy to use. I can...
