为什么不能在没有 CAP_SETPCAP 的情况下从边界集中删除功能?
[英]Why can't you drop a capability from the bounding set without CAP_SETPCAP?
问题描述
I have a Linux service that runs as a non-root user and holds a set of a few capabilities.
我有一个 Linux 服务,它以非 root 用户身份运行并拥有一些功能。 When it starts, I want to fork off a child process.当它开始时,我想分叉一个子进程。 That child process should drop one of its capabilities (let's say CAP_DAC_OVERRIDE ).该子进程应该放弃它的一项功能(比如说CAP_DAC_OVERRIDE )。 The idea is that in case there's a security vulnerability in the child process, an exploit will be less scary as it can't abuse that capability.这个想法是,如果子进程中存在安全漏洞,利用将不那么可怕,因为它不能滥用该功能。 The parent process is just a broker process, which retains CAP_DAC_OVERRIDE and will perform some actions on behalf of the unprivileged child process when it receives IPC messages from the child.父进程只是一个代理进程,它保留了CAP_DAC_OVERRIDE ,当它接收到来自子进程的IPC消息时,它会代表非特权子进程执行一些动作。
I'm able to remove this capability from every capability set in the child (inheritable, permitted, effective, and ambient) except for bounding.我可以从子项中的每个功能集(可继承的、允许的、有效的和环境的)中删除此功能,但边界除外。 The call to prctl(PR_CAPBSET_DROP) of course requires CAP_SETPCAP (otherwise, you get prctl(PR_CAPBSET_DROP): Operation not permitted ).对prctl(PR_CAPBSET_DROP)的调用当然需要CAP_SETPCAP (否则,你会得到prctl(PR_CAPBSET_DROP): Operation not permitted )。 I know that I can make my process spawn with CAP_SETPCAP initially and then remove it after I've changed the bounding set.我知道我最初可以使用CAP_SETPCAP生成我的进程,然后在更改边界集后将其删除。 My question is why does Linux not allow removing a capability from your bounding set unless you hold the CAP_SETPCAP capability?我的问题是为什么Linux 不允许从边界集中删除能力,除非你持有CAP_SETPCAP能力? It seems odd that the Linux kernel prevents a process from reducing its own privileges. Linux kernel 阻止进程降低自己的权限似乎很奇怪。
1 个解决方案
解决方案1
0 2022-07-24 13:54:18
There is a write up here for why dropping capabilities from what root receives requires some privilege: https://sites.google.com/site/fullycapable/thesendmailcapabilitiesissue .这里有一篇文章说明为什么从 root 接收的内容中删除功能需要一些特权: https://sites.google.com/site/fullycapable/thesendmailcapabilitiesissue 。
The example discussed there points out that if an unprivileged user can drop CAP_SETUID from the bounding set, then setuid-root programs can no longer drop privileges by changing UID from root to some other user.那里讨论的示例指出,如果非特权用户可以从边界集中删除CAP_SETUID ,则 setuid-root 程序不能再通过将 UID 从root更改为其他用户来删除特权。
If you can trick one of these applications into leaking a process running as root , minus that one capability, then you can probably use one of the other available capabilities for some exploit.如果您可以欺骗这些应用程序之一泄漏以root身份运行的进程,减去该功能,那么您可能可以使用其他可用功能之一进行某些利用。 Either that, or overwrite some system file owned by root and do something nasty to the OS.要么,要么覆盖root拥有的某些系统文件并对操作系统做一些讨厌的事情。
As that write up mentions, this was used a long time ago to exploit sendmail .正如那篇文章所提到的,这是很久以前用来利用sendmail的。 The kernel developers considered that exploit trivial enough to exploit, that dropping root 's capabilities needed to require some privilege. kernel 开发人员认为利用微不足道的漏洞可以利用,删除root的功能需要一些特权。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.