How are Linux capabilities related to null / non-null UID?
The manpage possibilities are quite long and I don't quite understand some things.
What would, for example, look like a function that decides if we have access to CAP_NET_RAW?
Input:
- a = Effective uid is 0
- b = There is some real / saved / any uid that is 0
- c = CAP_NET_RAW + e
- d = CAP_NET_RAW - + i
- e = CAP_NET_RAW + p
- f = CAP_NET_RAW is excluded from the "bounding set"
Output:
- x = now we can call
socket
and not receive EPERM - y = after some trickery (not filesystem related
chmod +s
orsetcap
accessing or connecting to external helpers) eg. withcapsetp
we can finally afford to open a raw socket.
As I understand it, it is something like this:
- x =! f && & (a || c)
- y =! f && (b || a || c || e)
How is it really?
+3
source to share
1 answer
Read the docs a little more, now it seems like this:
x = c
can_regain_caps_without_execve = (a || b) && !NO_NEW_PRIVS && (!SECBIT_NO_SETUID_FIXUP || ( CAP_SETPCAP && !SECBIT_NO_SETUID_FIXUP_LOCKED))
y = c || e || can_regain_caps_without_execve
those.
- The zero / nonzero uid only makes sense when it changes and the "root hacks" are active;
- Only effective opportunities are used for verification; everything else is opportunity management;
- Restrictive set and inherited capabilities about execve => out of scope for this answer.
0
source to share