Questions tagged [capabilities]

POSIX Capabilities are a way to split full superuser privileges into smaller partitions of privileges. Use this tag for questions on managing and using capabilities.

POSIX Capabilities are a way to split full superuser privileges into smaller partitions of privileges. While the superuser is all-powerful, this wealth of privileges is typically not necessary for individual tasks.

Under Unix and related operating systems the superuser (commonly called root) is all-powerful. Certain tasks need some of the superuser privileges. For instance, /bin/ping needs the privilege to read and write raw IP packets. Usually only the superuser can do that. In order for ordinary users to run /bin/ping, the program file is owned by root and has the set-UID bit set. This will give /bin/ping full superuser privileges. Thus, in addition to dealing with raw IP packets the process could install new system software, kill other processes etc. Another example is backup software that just needs to be able to read all files. In order to do that it is traditionally run with superuser privileges.

This all-or-nothing approach has ever attracted criticism because it violates the principle of least privilege – programs should have only the privileges they need to function. But assigning full superuser privileges to most programs is overkill. The risk is that if such a program is compromised (for example, by some buffer overflow with shell-code injection), then the whole system is compromised.

POSIX capabilities are a step toward the least-privilege principle. Capabilities can be assigned to programs much like the set-UID bit if the filesystem supports that. The tools to modify the capabilities are setcap and getcap. For instance, /bin/ping just needs the capability CAP_NET_RAW. A backup program just needs the capability CAP_DAC_READ_SEARCH. Compromised processes with limited capabilities cannot do much harm.

At least, that's the general idea. In practice the concept has some flaws, see CAP_SYS_ADMIN: the new root. In fact, it turns out that if a process has certain capabilities, it could elevate its privileges up to full superuser privileges, see False Boundaries and Arbitrary Code Execution.

122 questions

votes

2 answers

How to set capabilities with setcap command?

I would like to set up wpa_supplicant and openvpn to run as non-root user, like the recommended setup for wireshark. I can't find any documentation for what +eip in this example means: sudo setcap cap_net_raw,cap_net_admin,cap_dac_override+eip…

capabilities setcap

asked Sep 01 '17 at 22:17

T0m4t0s4uc3

votes

2 answers

Unset `setcap` additional capabilities on executable

An answer to the question "Allowing a regular user to listen to a port below 1024", specified giving an executable additional permissions using setcap such that the program could bind to ports smaller than 1024: setcap 'cap_net_bind_service=+ep'…

linux capabilities

asked Aug 15 '16 at 01:32

user2943160

votes

5 answers

How do I use capsh: I am trying to run an unprivileged ping, with minimal capabilities

I am experimenting with capabilities, on Debian Gnu/Linux. I have copied /bin/ping to my current working directory. As expected it does not work, it was originally setuid root. I then give my ping the minimal capabilities (not root) by doing sudo…

capabilities

asked Apr 15 '15 at 23:32

ctrl-alt-delor

27,473
9
58
102

votes

2 answers

'setcap' overwrites last capability. How do I set multiple capabilities?

I want to give node.js the ability to listen on port 80, and shutdown the computer. Initially I tried these two commands in sequence: setcap cap_net_bind_service=+ep /usr/bin/nodejs setcap cap_sys_boot=+ep /usr/bin/nodejs Then my app was failing…

capabilities setcap

asked Feb 25 '15 at 23:33

Antonius Bloch

votes

4 answers

Command to run a child process "offline" (no external network) on Linux

I have a program I would like to test in offline mode without taking down my actual network. This program would still need to connect to local sockets, including unix domain sockets and loopback. It also needs to listen on loopback and be visible to…

linux networking lxc capabilities namespace

asked Oct 16 '13 at 19:30

Havoc P

votes

1 answer

What is the difference between AmbientCapabilities and CapabilityBoundingSet?

I am trying to create a systemd service for a web server process that has to bind to port 80 and 443. I found some examples setting AmbientCapabilities=CAP_NET_BIND_SERVICE and setting both AmbientCapabilities and CapabilityBoundingSet. From the…

systemd services webserver capabilities

asked Apr 17 '20 at 04:07

AIcfpNaWbMmItYvxbWwED

votes

2 answers

How does ping work on Fedora without setuid and capabilities?

As far as I know, ping needs to create a raw socket (which needs either root access or cap_net_raw capabilities). From my understanding the trend these last years has been to remove setuid binaries and replaced them with capabilities. However when I…

security setuid capabilities

asked Jun 14 '20 at 23:13

Antoine Catton

votes

1 answer

Can capabilities be used in scripts without setcap'ing the interpreter binary?

Right now I'm using cap_net_bind_service MY_USERNAME in /etc/security/capability.conf. Now I just need to set cap_net_bind_service+i on the interpreter of my favorite scripting language to be able to add CAP_NET_BIND_SERVICE to the effective set via…

linux scripting executable setcap capabilities

asked Sep 01 '12 at 19:37

ThiefMaster

2,297
2
23
25

votes

2 answers

When using setcap, where is the permission stored?

Using setcap to give additional permissions to a binary should write the new permission somewhere, on storage or in memory, where is it stored ? Using lsof as is doesn't work because the process disappear too quickly.

capabilities setcap

asked Aug 26 '17 at 16:39

Zulgrib

votes

8 answers

How to prevent a process from writing files

I want to run a command on Linux in a way that it cannot create or open any files to write. It should still be able to read files as normal (so an empty chroot is not an option), and still be able to write to files already open (especially…

linux security selinux apparmor capabilities

asked Feb 13 '13 at 11:31

Joachim Breitner

1,347
2
16
25

votes

1 answer

Is setcap deprecated?

I'm starting a webserver as non-root using a systemd unit file. I am getting listen tcp :80: bind: permission denied even though I already ran setcap cap_net_bind_service=+ep on the executable. In an example unit file on the internet I…

systemd capabilities setcap

asked Dec 14 '18 at 22:53

AndreKR

1,010
3
13
28

votes

2 answers

Capabilities for a script on Linux

If I want to set a capability (capabilities(7)), such as CAP_NET_BIND_SERVICE, on an executable file and that file is a script, do I have to set the capability (setcap(8)) on the interpreter starting that script or is it sufficient to set it on the…

linux scripting capabilities

asked Aug 19 '13 at 14:01

0xC0000022L

16,189
24
102
168

votes

2 answers

What does the "ep" capability mean?

root@macine:~# getcap ./some_bin ./some_bin =ep What does "ep" mean? What are the capabilities of this binary?

linux capabilities

asked Apr 27 '19 at 16:16

James

votes

1 answer

Docker running an app with NET_ADMIN capability: involved risks

I'm trying to run an app in a docker container.The app requires root privileges to run. sudo docker run --restart always --network host --cap-add NET_ADMIN -d -p 53:53/udp my-image My question is: What are the risks when adding the NET_ADMIN…

root docker capabilities

asked Mar 26 '19 at 17:50

Doesntmatter

votes

3 answers

Which Linux capability do I need in order to write to /proc/sys/vm/drop_caches?

I am trying to clear my filesystem cache from inside a docker container, like so: docker run --rm ubuntu:vivid sh -c "/bin/echo 3 > /proc/sys/vm/drop_caches" If I run this command I get sh: 1: cannot create /proc/sys/vm/drop_caches: Read-only file…

proc privileges docker capabilities

asked Jun 12 '15 at 12:52

Julius Blank

2 3

…

8 9 Next