POSIX file capabilities, the dark side
30 May 2010 15:20 0 messages
Also the author suppose the reader have a good base about GNU Linux and security.
License : Copyright Emeric Nasi, some rights reserved
This document is licensed under the [Creative Commons Attribution-NonCommercial-NoDerivs 3.0 License].
Since kernel 2.6.25 Linux, capabilities processing is made easier. With the event of file capabilities combine with libcap2-bin tools (capsh, getpcaps, getcap, setcap), one can now reduce the exposure of superuser almighty power to hackers.
Some of the major Linux distributions such as Fedora are starting to use capabilities and have libcap2-bin tools enabled by default.
These tools can be use to improve security in these way :
- Turn a setuid-root file into a file with minimum privileges
- Run a service/daemon with uid other than 0 and minimum privileges
- Run a service/daemon with uid=0 but with the minimum superuser privileges
- Configure files so they can be accessed only by an admin or a process with the right privileges, and cannot be accessed by anyone else even unprivileged root.
- Configure a file so that it does not have to be run by root to work properly.
However one must not be fooled by all this. Capabilities have some drawbacks.
I will first explain why capabilities can be dangerous.
Then I will show ways to circumvent capabilities and still hack system.
After that we will see how capabilities can be exploited by an attacker and thus generate more vulnerabilities
This article has 12 pages, if you wish to read it download it here :
Also in this section
5 December 2010 – Linux filesystem security scans
27 August 2010 – Linux security using a limited group (PAM modules)
14 August 2010 – How to secure Linux users
18 June 2010 – HTTP backdoor using POSIX file capabilities and PHP
17 June 2010 – Create a daily system-update script