1 / 18

Linux Capability

Linux Capability. Zutao Zhu 10/23/2009. Outline. Question 2 Question 5 Question 6. Question2: Capabilities. cap dac read search cap dac override cap fowner cap chown cap fsetid cap sys module cap kill cap net admin cap net raw cap sys nice cap sys time. CAP_DAC_READ_SEARCH.

zubin
Download Presentation

Linux Capability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Linux Capability Zutao Zhu 10/23/2009

  2. Outline • Question 2 • Question 5 • Question 6

  3. Question2: Capabilities • cap dac read search • cap dac override • cap fowner • cap chown • cap fsetid • cap sys module • cap kill • cap net admin • cap net raw • cap sys nice • cap sys time

  4. CAP_DAC_READ_SEARCH • Usage: /* Overrides all DAC restrictions regarding read and search on filesand directories, including ACL restrictions if [_POSIX_ACL] isdefined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */ • How: try to open a file owned by root, using a normal user

  5. CAP_DAC_OVERRIDE • Usage: /* Override all DAC access, including ACL execute access if[_POSIX_ACL] is defined. Excluding DAC access covered byCAP_LINUX_IMMUTABLE. */ • How: try to write to a file owned by root, using a normal user

  6. CAP_FOWNER • Usage: /* Overrides all restrictions about allowed operations on files, wherefile owner ID must be equal to the user ID, except where CAP_FSETIDis applicable. It doesn't override MAC and DAC restrictions. */ • How: try to change the mode of a file owned by root

  7. CAP_CHOWN • Usage: /* In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, thisoverrides the restriction of changing file ownership and groupownership. */ • How: chown command!

  8. CAP_FSETID • Usage: /* Overrides the following restrictions that the effective user IDshall match the file owner ID when setting the S_ISUID and S_ISGIDbits on that file; that the effective group ID (or one of thesupplementary group IDs) shall match the file owner ID when settingthe S_ISGID bit on that file; that the S_ISUID and S_ISGID bits arecleared on successful return from chown(2) (not implemented). */ • How: man –S 2 chmod, use chmod()

  9. CAP_SYS_MODULE • Usage: /* Insert and remove kernel modules - modify kernel without limit */ • How: apply to insmod or rmmod. First locate the module location, usually it is in //usr/local/lib (.so) file, /sbin/insmod libmp3lame.so

  10. CAP_KILL • Usage: /* Overrides the restriction that the real or effective user ID of aprocess sending a signal must match the real or effective user IDof the process receiving the signal. */ • How: apply to “kill” command!

  11. CAP_NET_ADMIN • Usage: /* Allow interface configuration *//* Allow administration of IP firewall, masquerading and accounting *//* Allow setting debug option on sockets *//* Allow modification of routing tables *//* Allow setting arbitrary process / process group ownership onsockets *//* Allow binding to any address for transparent proxying *//* Allow setting TOS (type of service) *//* Allow setting promiscuous mode *//* Allow clearing driver statistics *//* Allow multicasting *//* Allow read/write of device-specific registers *//* Allow activation of ATM control sockets */ • How: apply to ifconfig command! Ifconfig eth0 ip

  12. CAP_NET_RAW • Usage: /* Allow use of RAW sockets *//* Allow use of PACKET sockets */ • How: ping!

  13. CAP_SYS_NICE • Usage: /* Allow raising priority and setting priority on other (differentUID) processes *//* Allow use of FIFO and round-robin (realtime) scheduling on ownprocesses and setting the scheduling algorithm used by anotherprocess. *//* Allow setting cpu affinity on other processes */ • How: apply to nice(). man –S 2 nice

  14. CAP_SYS_TIME • Usage: /* Allow manipulation of system clock *//* Allow irix_stime on mips *//* Allow setting the real-time clock */ • How: apply to “date” command to change the system clock

  15. Question 5 • Use the vulnerable program in buffer-overflow lab • You can use focus on CAP_DAC_READ_SEARCH • Use cap_disable and cap_drop like use_cap.c to demo that capability really helps!

  16. Question 6 • Use the vulnerable program in race condition lab • You can use focus on CAP_DAC_READ_SEARCH • Use cap_disable and cap_drop like use_cap.c to demo that capability really helps!

  17. Reference • include/linux/capability.h • Manual pages

  18. Questions?

More Related