Clever Geek Handbook

How are Linux capabilities related to null / non-null UID?

The manpage possibilities are quite long and I don't quite understand some things.

What would, for example, look like a function that decides if we have access to CAP_NET_RAW?

Input:

  • a = Effective uid is 0
  • b = There is some real / saved / any uid that is 0
  • c = CAP_NET_RAW + e
  • d = CAP_NET_RAW - + i
  • e = CAP_NET_RAW + p
  • f = CAP_NET_RAW is excluded from the "bounding set"

Output:

  • x = now we can call socket

    and not receive EPERM
  • y = after some trickery (not filesystem related chmod +s

    or setcap

    accessing or connecting to external helpers) eg. with capsetp

    we can finally afford to open a raw socket.

As I understand it, it is something like this:

  • x =! f && & (a || c)
  • y =! f && (b || a || c || e)

How is it really?

+3


source to share


1 answer


Read the docs a little more, now it seems like this:

x = c
can_regain_caps_without_execve = (a || b) && !NO_NEW_PRIVS && (!SECBIT_NO_SETUID_FIXUP || ( CAP_SETPCAP && !SECBIT_NO_SETUID_FIXUP_LOCKED))
y = c || e || can_regain_caps_without_execve


those.

  • The zero / nonzero uid only makes sense when it changes and the "root hacks" are active;
  • Only effective opportunities are used for verification; everything else is opportunity management;
  • Restrictive set and inherited capabilities about execve => out of scope for this answer.
0


source






More articles:


All Articles