Download Shareware and Freeware Software for Windows, Linux, Macintosh, PDA

line Home  |  About Us  |  Link To Us  |  FAQ  |  Contact

Serving Software Downloads in 976 Categories, Downloaded 30.066.486 Times

libcap-ng 0.6.4

Company: Steve Grubb
Date Added: October 11, 2013  |  Visits: 236

libcap-ng

Report Broken Link
Printer Friendly Version


Product Homepage
Download (16 downloads)

libcap-ng is a library designed to make programming with posix capabilities much easier than the traditional libcap library. It includes utilities that can analyse all currently running applications and print out any capabilities and whether or not it has an open ended bounding set. An open bounding set without the securebits "NOROOT" flag will allow full capabilities escalation for apps retaining uid 0 simply by calling execve.<br /><br />The included utilities are designed to let admins and developers spot apps from various ways that may be running with too much privilege. For example, any investigation should start with network facing apps since they would be prime targets for intrusion. The netcap program will check all running apps and display the results. Sample output from netcap:<br /><br />ppid pid acct command type port capabilities<br />1 2295 root nasd tcp 8000 full<br />2323 2383 root dnsmasq tcp 53 net_admin, net_raw +<br />1 2286 root sshd tcp 22 full<br />1 2365 root cupsd tcp 631 full<br />1 2286 root sshd tcp6 22 full<br />1 2365 root cupsd tcp6 631 full<br />2323 2383 root dnsmasq udp 53 net_admin, net_raw +<br />2323 2383 root dnsmasq udp 67 net_admin, net_raw +<br />1 2365 root cupsd udp 631 full<br /><br />But assuming someone was successful in getting into your system and only has partial capabilities, what might be the next targets to gain full privs? The pscap program will show you all apps currently running on the system that have privileges. Ideally, all apps running as uid 0 should drop privileges. Some can't for good reasons as explained later. But many can.<br /><br />If for some reason you feel that its too hard or app developers are unwilling to change, the admin can set file based capabilities, using filecap, if the file system has extended attributes and the kernel supports file system based capabilities. It can also search out files on your system that have filesystem based capabilities.<br /><br />Developer comments<br /><br />I think one of the intentions of file system based capabilities was to allow admins to take control of their security risk profile and drop privileges of apps on their system independent of what application developers do. I suspect that the low rate of adoption for dropping privileges is because the old API made it tedious to do any task and therefore app developers just don't use it. How many apps have you seen that says you need to be root to use this program? This is because its just 1 line of code to check if you are the root user. The programmer probably knew that a specific capability was needed, but chose to take the shortcut instead. I wanted to change that by making an easy to use API. Its easier to accept a 3-4 line patch than one that adds some 20 lines of code.<br /><br />As an application developer, there are probabaly 6 use cases that you are interested in: drop all capabilities, keep one capability, keep several capabilities, check if you have any capabilities at all, check for certain capabilities, and retain capabilities across a uid change. I'll show how easy it is to do each of these below using libcap-ng (and now in python):<br /><br />1) Drop all capabilities<br /> capng_clear(CAPNG_SELECT_BOTH);<br /> capng_apply(CAPNG_SELECT_BOTH);<br /><br />2) Keep one capability<br /> capng_clear(CAPNG_SELECT_BOTH);<br /> capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_CHOWN);<br /> capng_apply(CAPNG_SELECT_BOTH);<br /><br />3) Keep several capabilities<br /> capng_clear(CAPNG_SELECT_BOTH);<br /> capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETUID, CAP_SETGID, -1);<br /> capng_apply(CAPNG_SELECT_BOTH);<br /><br />4) Check if you have any capabilities<br /> if (capng_have_capabilities(CAPNG_SELECT_CAPS) > CAPNG_NONE)<br /> do_something();<br /><br />5) Check for certain capabilities<br /> if (capng_have_capability(CAPNG_EFFECTIVE, CAP_CHOWN))<br /> do_something();<br /><br />6) Retain capabilities across a uid change<br /> capng_clear(CAPNG_SELECT_BOTH);<br /> capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_CHOWN);<br /> if (capng_change_id(99, 99, CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING))<br /> error();<br /><br />Now, isn't that a lot simpler? Note that the last example takes about 60 lines of code using the older capabilities library. As of the 0.6 release, there is a m4 macro file to help adding libcap-ng to your autotools config system. In configure.ac, add LIBCAP_NG_PATH. Then in Makefile.am locate the apps that link to libcap-ng, add $(CAPNG_LDADD) to their _LDADD entries. And lastly, surround the optional capabilities code with #ifdef HAVE_LIBCAP_NG.<br /><br />One aspect of this library that makes it more complete is that it treats the bounding set as if it were another kind of capability set. The same functions that take effective, permitted, or inheritable also take bounding_set. But sometimes you don't want to touch the bounding set, so the API allows you to select between the traditional capabilities, the bounding set, or both. One thing to note, if you want to change the bounding set, you must have SETPCAP capability. You can drop traditional capabilities at any time even without the SETPCAP capability. Read more about this in the "capabilities (7)" man page.

Requirements: No special requirements
Platforms: *nix, Linux
Keyword: Based Bounding Cap Chown Capabilities Capability Capng Clearcapng Select Capng Effective Capng Permitted Change Check Cupsd Developers Dnsmasq Libcap Libcapng Library Net Admin Net Raw Ng Privileges Running System
Users rating: 0/10

License: Freeware Size: 348.16 KB
LIBCAP-NG RELATED
Networking  -  IM8 Box Hide 1.46
IM8 Box Hide shows or hides meta boxes based on roles and capabilities. * Deactivate wordpress metaboxes (Attributes, Custom Fields, ...) * Deactivate plugin metaboxes (for example All in One SEO, Mappress, ...) * Support for additional user-roles...
174.08 KB  
Programming  -  AK Web Dyn Designer 1.0
AKWebDyn Designer is a Java tool that offers the possibility to create and deploy Dynamic Web pages,through a user-friendly GUI based on Drag n Drop capability.Developed at ESIB-USJ;Winner of the GoldenChip Awards 2004. Anthony Assi & Jihad Khalil
453.67 KB  
Network & Internet  -  DataparkSearch 4.47
DataparkSearch Engine is a web-based search engine released under the GNU General Public License, full-featured and designed to organize search within a web-site, group of web-sites, intranet or local system. DataparkSearch consists of two...
1.9 MB  
Programming  -  Polymer 0.01.1
Design matrix for permissions-based data management applications; forms, reports, ad-hoc queries, with group-level permissions for all elements; allows easy management of diverse access levels for users on the same system. Extends smarty; requires...
168.39 KB  
Science  -  Research Genetic Algorithm Tool 1.0
This easy to run and change program for developers, it contains several evolutionary based strategies allowing you try among some function samples
118.72 KB  
Games  -  Smokin' Guns 1.0
Smokin' Guns is a GPLv2 licensed first person Western style shooter based on the Quake 3 engine (Id Tech 3) developed by a loosely knit team of developers and artists. This project represents the game engine.
10.95 MB  
Programming  -  SWT Autotester 1.0
A tool to automate the usage of SWT based GUI and to allow the user to test the existence of controls and check their characteristics. The users are able to perform the tests from a user interface or from a regression environment.
12.81 KB  
Networking  -  Web-Net-Admin 0.1
Web-Net-Admin, Web-based administration of a TCP/IP network. Manage DHCP, DNS, LDAP, DOMAIN, SMTP, SMB (and more) configurations.Need MySQL , PHP, Apache and a client module on each managed server. Works with linux, Aix, Windows, Mac OS.
153.6 KB  
Business  -  Hubbr.net 1.2
Hubbr.net Mobile Edition lets you view and update your construction schedules, access job details, customers and suppliers contacts from wherever you are. What's Hubbr.net? Hubbr.net is an internet-based software solution that provides...
614.4 KB  
Programming  -  BasicQuery 01.03.01
BasicQuery is a Java-based application used to access databases through JDBC. It features a Swing-based GUI and includes capabilities useful to developers when testing SQL statements against a database. BasicQuery also produces timing information,...
1.3 MB  
NEW DOWNLOADS IN LINUX SOFTWARE, PROGRAMMING
Linux Software  -  Polling Autodialer Software 3.4
ICTBroadcast Auto Dialer software has a survey campaign for telephone surveys and polls. This auto dialer software automatically dials a list of numbers and asks them a set of questions that they can respond to, by using their telephone keypad....
488 B  
Linux Software  -  Total Video Converter Mac Free 3.5.5
Total Video Converter Mac Free developed by EffectMatrix Ltd is the official legal version of Total Video Converter which was a globally recognized brand since 2006. Total Video Converter Mac Free is a free but powerful all-in-one video...
17.7 MB  
Linux Software  -  Skeith mod_log_sql Analyzer 2.10beta2
Skeith is a php based front end for analyzing logs for Apache using mod_log_sql.
47.5 KB  
Linux Software  -  SLAX 6.0+
Slax is a modern, portable, small and fast Linux operating system with a modular approach and outstanding design. Despite its small size, Slax provides a wide collection of pre-installed software for daily use, including a well organized graphical...
190 KB  
Linux Software  -  GTK+ 2.5
GTK+, which stands for the GIMP Toolkit, is a library for creating graphical user interfaces for the X Window System. It is designed to be small, efficient, and flexible. GTK+ is written in C with a very object-oriented approach. Language bindings...
60 MB  
Programming  -  FLEX-db Digital Asset Manager 3.0.9
FLEX-db - an enterprise Digital Asset Manager (DAM). It ingests and links metadata with files, creates thumbnails, and processes files using business rules. FLEX-db has a JSP client, Java app server for file input and output and an EJB metadata...
21.57 MB  
Programming  -  Libicom 0.9.0
The libicom library is a character based dynamicly linked library for Linux. It is used to remotely control the Icom IC-R8500 wide band receiver via an RS232 link. All call and return parameters to the control functions are character string based....
20.48 KB  
Programming  -  dotdesktop 0.3
Dotdesktop library provides ability to parse desktop entry file and access the information in a convenient way. Desktop entry file format is defined by freedesktop.org, it is used to describe information about an application such as the name and...
327.68 KB  
Programming  -  Cedalion for Linux 0.2.6
Cedalion is a programming language that allows its users to add new abstractions and define (and use) internal DSLs. Its innovation is in the fact that it uses projectional editing to allow the new abstractions to have no syntactic limitations.
471.04 KB  
Programming  -  libyasl 0.2
Libyasl is a C++ class library to easily realize TCP/UDP/Multicast clientsand servers in IPv4 and IPv6 environments under GNU/Linux systems.
143.36 KB