0

I am experimenting with capabilities, on Debian Gnu/Linux.

I have copied /bin/ping to my current working directory. As expected it does not work, it was originally setuid root.

I then give my ping the minimal capabilities (not root) by doing

sudo /sbin/setcap cap_net_raw=ep ./ping
, and my ping works, as expected.

Then

sudo /sbin/setcap -r ./ping
to revoke that capability. It is now not working as expected.

I now try to get ping working using

capsh
.

capsh
has no privileges, so I need to run it as root, but then drop root and thus all other privileges.

I think I also need

secure-keep-caps
, this is not documented in
capsh
, but is in the capability manual. I got the bit numbers from
/usr/include/linux/securebits.h
. They seem correct, as the output of
--print
shows these bits to be correct.

I have been fiddling for hours, so far I have this.

sudo /sbin/capsh  --keep=1 --secbits=0x10  --caps="cap_net_raw+epi" == --secbits=0x10 --user=${USER} --print -- -c "./ping localhost"

However

ping
errors with
ping: icmp open socket: Operation not permitted
, this is what happens when it does not have the capability. Also the
--print
shows
Current: =p cap_net_raw+i
, this is not enough we need
e
.

sudo /sbin/capsh    --caps="cap_net_raw+epi" --print -- -c "./ping localhost"
will set the capability to
Current: = cap_net_raw+eip
this is correct, but leaves us as
root
.

Edit-1

I have now tried

sudo /sbin/capsh --keep=1 --secbits=0x11  --caps=cap_net_raw+epi  --print -- -c "touch zz; ./ping -c1 localhost;"

This produces:

touch: cannot touch `zz': Permission denied
ping: icmp open socket: Operation not permitted

The first error is expected as

secure-noroot: yes
But the second is not
Current: = cap_net_raw+eip

Edit-2

If I put

==
before the
--print
, it now shows
Current: = cap_net_raw+i
, so that explains the previous error, but not why we are loosing capability when switching out of root, I though that
secure-keep-caps
should fix that.

Edit-3

From what I can see, I am loosing Effective (e), and Permitted (p), when exec is called. This is expected, but I thought that secure-keep-caps, should stop them being lost. Am I missing something.

Edit-4

I have been doing more research, and reading the manual again. It seems that normally

e
and
p
capabilities are lost when: you switch from user
root
( or apply
secure-noroot
, thus making root a normal user), this can be overridden with
secure-keep-caps
; when you call
exec
, as far as I can tell this is an invariant.

As far as I can tell, it is working according to the manual. As far as I can tell there is no way to do anything useful with

capsh
. As far as I can tell, to use capabilities you need to: use file capabilities or have a capabilities aware program, that does not use
exec
. Therefore no privileged wrapper.

So now my question is what am I missing, what is

capsh
for.

Edit-5

I have added an answer re ambient capabilities. Maybe

capsh
can also be used with inherited capabilities, but to be useful these would need to be set on the executable file. I can not see how capsh can do anything useful without ambient capabilities, or to allow inherited capabilities.


Versions:

  • capsh
    from package
    libcap2-bin
    version
    1:2.22-1.2
  • before edit-3 I grabbed the latest
    capsh
    from
    git://git.debian.org/collab-maint/libcap2.git
    and started using it.
  • uname -a
    Linux richard-laptop 3.2.0-4-amd64 #1 SMP Debian 3.2.65-1+deb7u2 x86_64 GNU/Linux
    User-land is 32bit.