linux capability zutao zhu 10/23/2009. outline question 2 question 5 question 6
TRANSCRIPT
![Page 1: Linux Capability Zutao Zhu 10/23/2009. Outline Question 2 Question 5 Question 6](https://reader035.vdocuments.us/reader035/viewer/2022072016/56649ee55503460f94bf4857/html5/thumbnails/1.jpg)
Linux Capability
Zutao Zhu
10/23/2009
![Page 2: Linux Capability Zutao Zhu 10/23/2009. Outline Question 2 Question 5 Question 6](https://reader035.vdocuments.us/reader035/viewer/2022072016/56649ee55503460f94bf4857/html5/thumbnails/2.jpg)
Outline
• Question 2
• Question 5
• Question 6
![Page 3: Linux Capability Zutao Zhu 10/23/2009. Outline Question 2 Question 5 Question 6](https://reader035.vdocuments.us/reader035/viewer/2022072016/56649ee55503460f94bf4857/html5/thumbnails/3.jpg)
Question2: Capabilities
• cap dac read search• cap dac override• cap fowner• cap chown• cap fsetid• cap sys module• cap kill• cap net admin• cap net raw• cap sys nice• cap sys time
![Page 4: Linux Capability Zutao Zhu 10/23/2009. Outline Question 2 Question 5 Question 6](https://reader035.vdocuments.us/reader035/viewer/2022072016/56649ee55503460f94bf4857/html5/thumbnails/4.jpg)
CAP_DAC_READ_SEARCH
• Usage: /* Overrides all DAC restrictions regarding read and search on files and directories, including ACL restrictions if [_POSIX_ACL] is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */
• How: try to open a file owned by root, using a normal user
![Page 5: Linux Capability Zutao Zhu 10/23/2009. Outline Question 2 Question 5 Question 6](https://reader035.vdocuments.us/reader035/viewer/2022072016/56649ee55503460f94bf4857/html5/thumbnails/5.jpg)
CAP_DAC_OVERRIDE
• Usage: /* Override all DAC access, including ACL execute access if [_POSIX_ACL] is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */
• How: try to write to a file owned by root, using a normal user
![Page 6: Linux Capability Zutao Zhu 10/23/2009. Outline Question 2 Question 5 Question 6](https://reader035.vdocuments.us/reader035/viewer/2022072016/56649ee55503460f94bf4857/html5/thumbnails/6.jpg)
CAP_FOWNER
• Usage: /* Overrides all restrictions about allowed operations on files, where file owner ID must be equal to the user ID, except where CAP_FSETID is applicable. It doesn't override MAC and DAC restrictions. */
• How: try to change the mode of a file owned by root
![Page 7: Linux Capability Zutao Zhu 10/23/2009. Outline Question 2 Question 5 Question 6](https://reader035.vdocuments.us/reader035/viewer/2022072016/56649ee55503460f94bf4857/html5/thumbnails/7.jpg)
CAP_CHOWN
• Usage: /* In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this overrides the restriction of changing file ownership and group ownership. */
• How: chown command!
![Page 8: Linux Capability Zutao Zhu 10/23/2009. Outline Question 2 Question 5 Question 6](https://reader035.vdocuments.us/reader035/viewer/2022072016/56649ee55503460f94bf4857/html5/thumbnails/8.jpg)
CAP_FSETID
• Usage: /* Overrides the following restrictions that the effective user ID shall match the file owner ID when setting the S_ISUID and S_ISGID bits on that file; that the effective group ID (or one of the supplementary group IDs) shall match the file owner ID when setting the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are cleared on successful return from chown(2) (not implemented). */
• How: man –S 2 chmod, use chmod()
![Page 9: Linux Capability Zutao Zhu 10/23/2009. Outline Question 2 Question 5 Question 6](https://reader035.vdocuments.us/reader035/viewer/2022072016/56649ee55503460f94bf4857/html5/thumbnails/9.jpg)
CAP_SYS_MODULE
• Usage: /* Insert and remove kernel modules - modify kernel without limit */
• How: apply to insmod or rmmod. First locate the module location, usually it is in //usr/local/lib (.so) file, /sbin/insmod libmp3lame.so
![Page 10: Linux Capability Zutao Zhu 10/23/2009. Outline Question 2 Question 5 Question 6](https://reader035.vdocuments.us/reader035/viewer/2022072016/56649ee55503460f94bf4857/html5/thumbnails/10.jpg)
CAP_KILL
• Usage: /* Overrides the restriction that the real or effective user ID of a process sending a signal must match the real or effective user ID of the process receiving the signal. */
• How: apply to “kill” command!
![Page 11: Linux Capability Zutao Zhu 10/23/2009. Outline Question 2 Question 5 Question 6](https://reader035.vdocuments.us/reader035/viewer/2022072016/56649ee55503460f94bf4857/html5/thumbnails/11.jpg)
CAP_NET_ADMIN
• Usage: /* Allow interface configuration */ /* Allow administration of IP firewall, masquerading and accounting */ /* Allow setting debug option on sockets */ /* Allow modification of routing tables */ /* Allow setting arbitrary process / process group ownership on sockets */ /* Allow binding to any address for transparent proxying */ /* Allow setting TOS (type of service) */ /* Allow setting promiscuous mode */ /* Allow clearing driver statistics */ /* Allow multicasting */ /* Allow read/write of device-specific registers */ /* Allow activation of ATM control sockets */
• How: apply to ifconfig command! Ifconfig eth0 ip
![Page 12: Linux Capability Zutao Zhu 10/23/2009. Outline Question 2 Question 5 Question 6](https://reader035.vdocuments.us/reader035/viewer/2022072016/56649ee55503460f94bf4857/html5/thumbnails/12.jpg)
CAP_NET_RAW
• Usage: /* Allow use of RAW sockets */ /* Allow use of PACKET sockets */
• How: ping!
![Page 13: Linux Capability Zutao Zhu 10/23/2009. Outline Question 2 Question 5 Question 6](https://reader035.vdocuments.us/reader035/viewer/2022072016/56649ee55503460f94bf4857/html5/thumbnails/13.jpg)
CAP_SYS_NICE
• Usage: /* Allow raising priority and setting priority on other (different UID) processes */ /* Allow use of FIFO and round-robin (realtime) scheduling on own processes and setting the scheduling algorithm used by another process. */ /* Allow setting cpu affinity on other processes */
• How: apply to nice(). man –S 2 nice
![Page 14: Linux Capability Zutao Zhu 10/23/2009. Outline Question 2 Question 5 Question 6](https://reader035.vdocuments.us/reader035/viewer/2022072016/56649ee55503460f94bf4857/html5/thumbnails/14.jpg)
CAP_SYS_TIME
• Usage: /* Allow manipulation of system clock */ /* Allow irix_stime on mips */ /* Allow setting the real-time clock */
• How: apply to “date” command to change the system clock
![Page 15: Linux Capability Zutao Zhu 10/23/2009. Outline Question 2 Question 5 Question 6](https://reader035.vdocuments.us/reader035/viewer/2022072016/56649ee55503460f94bf4857/html5/thumbnails/15.jpg)
Question 5
• Use the vulnerable program in buffer-overflow lab
• You can use focus on CAP_DAC_READ_SEARCH
• Use cap_disable and cap_drop like use_cap.c to demo that capability really helps!
![Page 16: Linux Capability Zutao Zhu 10/23/2009. Outline Question 2 Question 5 Question 6](https://reader035.vdocuments.us/reader035/viewer/2022072016/56649ee55503460f94bf4857/html5/thumbnails/16.jpg)
Question 6
• Use the vulnerable program in race condition lab
• You can use focus on CAP_DAC_READ_SEARCH
• Use cap_disable and cap_drop like use_cap.c to demo that capability really helps!
![Page 17: Linux Capability Zutao Zhu 10/23/2009. Outline Question 2 Question 5 Question 6](https://reader035.vdocuments.us/reader035/viewer/2022072016/56649ee55503460f94bf4857/html5/thumbnails/17.jpg)
Reference
• include/linux/capability.h
• Manual pages
![Page 18: Linux Capability Zutao Zhu 10/23/2009. Outline Question 2 Question 5 Question 6](https://reader035.vdocuments.us/reader035/viewer/2022072016/56649ee55503460f94bf4857/html5/thumbnails/18.jpg)
Questions?