One Article Review
| Source |  SANS Institute |
|---|---|
| Identifiant | 1328 |
| Date de publication | 2016-05-08 02:16:01 (vue: 2016-05-08 02:16:01) |
| Titre | Guest Diary: Linux Capabilities - A friend and foe, (Sun, May 8th) |
| Texte | [The following is a guest diary by Paul Bolton. An earlier version of this diary appeared on Paulsblog.]------------------------------------------------------------As an infrastructure engineer (3rd line support) with a healthy interest in security I like to discover and play with the less well known features of technology. It is surprising how many people are not aware of these, even some senior administrators, yet such features can offer both strong mechanisms to improve the security of a system and strong mechanism for a more nefarious individual to compromise or otherwise abuse that system.One of these are Linux Capabilities, which can be thought of a division of roots capabilities into discrete parts, such as the ability to open a privileged port or bypass discretionary access controls. This allows for a more fine-grained approach to security. Rather than a user or process having root privileges or not, they can have a subset.If the process is capabilities aware, then rather than the traditional become_root and unbecome_root functions that a SUID root process may use to protect itself, it can enable/disable the specific bits it needs. For example, if you only want to open a privileged port, you dont need to enable the ability to read/write any file.By limiting the privileges (capabilities) a process or file has to a subsetof root/superuser, we limit both accidental damage caused by a bug or usererror, and malicious damage caused by an adversary abusing the process orfile. For example, in the case of a common action for a server of opening aprivileged port, if an adversary was able to execute arbitrary code due to abuffer overrun in the process, then the only privileged action that theadversary could perform without further abuse would be to open a privilegedport. In contrast, under the traditional approach of running the process asroot, the adversary would have full administrative access. i.e. we have theopportunity for a more effective least-privileged security model via theuse of Capabilities.Solaris has something similar - Privileges - but here Im going to concentrate on the Linux variant.Processes and files can have a number of capability sets. These are bitmasks of the discrete capabilities. Of particular interest are:Permitted - this is the set of capabilities that the process or file can assumeEffective - this is the set of capabilities that the process or file hasInheritable - this is the set of capabilities that are preserved across an exec or fork e.g. that can be passed on to a sub-process.The possible configurations are quite extensive, so reading the man page is encouraged. But let ping. On older distributions this was SUID root to allow it to open raw sockets. However, on CentOS 7.1 for example, it isnt. Instead we now use capabilities:">-rwxr-xr-x. 1 root root 44896 Jun 23">/bin/ping = cap_net_admin,cap_net_raw+pIn addition to getcap">[root@centos7-1 ~]# grep ^Cap /proc/$$/statusCapInh: 0000000000000000CapPrm: 0000001fffffffffCapEff: 0000001fffffffffCapBnd: 0000001fffffffffOr getpcaps">[root@centos7-1 ~]# getpcaps $$Capabilities for `3506: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,35,36+epHowever, as you probably noticed when we listed the ping executable, other than the colour (if use a |
| Envoyé | Oui |
| Condensat | #26jclausing $$capabilities +all /bin/bash /bin/bashinstead /etc/shadow: /etc/shadowwc: /mnt/mybash /mnt/mysetpriv /proc/$$/statuscapinh: 0000000000000000capprm: 0000001fffffffffcapbnd: 0000001fffffffffcapeff: 0000001fffffffffor 00:00:00 09:17 3455 36+ephowever 3693 3rd 44896 8th >/bin/ping >capbnd: >capeff: >capinh: >capprm: >root >uid >wc: ^cap `3506: ability able abuffer abuse abusing access accidental across action addition admin administrative administrators adversary all+epi allow allows also any appeared approach aprivileged arbitrary are are:permitted asroot assigning assumeeffective attribution audit aware because become bind bitmasks bits bolton boot both broadcast bug but bypass can cap capabilities capabilities: capability caps case caused center centos chown chroot clausing code colour colours commands common commons compromise concentrate config configurations contrast control controls could countermeasure creative dac damage deniedthat deniedwell diary diary: didn disables discover discrete discretionary distributions division dont dot due earlier edu effective empty enable enable/disable encouraged engineer even example exec executable execute extensive features file files filesystem finally find fine foe following fork fortunately fowner friend from fsetid full functions further get getcap getpcaps giac going good grained grep gse guest has hasinheritable have having healthy here how however https://isc imagination immutable improve indeed individual infrastructure inh inheritable initial instead interest internet ipc isc isnt itself jim jun just key kill known lease least less let license like limit limited limiting line linux listed lock looking mac maintain malicious man many may mechanism mechanisms missed mknod mnt model module more mysetperm need needs nefarious net nice non noncommercial nosuid not noticed now number obvious off offer older one only open opening orfile other otherwise override overrun owner pacct page pam particular parts passed paul paul@centos7 paulsblog people perform permission permitted pid ping play port possible ppid preserved privileged privilegedport privileges probably process processes protect ptrace pts/0 quite rather raw raw+pin rawio read read/write reading resource restricted root root/superuser root@centos7 roots running rwxr sans search security senior server service set setcap setfcap setgid setpcap sets setting setuid short signs similar sockets solaris some something specific states stime storm strong sub subset subsetof such suid suid/sgid sun support surprising sys syslog system taking technology than theadversary then theopportunity these theuse thought time traditional tty unbecome under united use user usererror users using variant version want well when which will without won wont work would writable write yet your |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.