[英]Why can't you drop a capability from the bounding set without CAP_SETPCAP?
I have a Linux service that runs as a non-root user and holds a set of a few capabilities.我有一个 Linux 服务,它以非 root 用户身份运行并拥有一些功能。 When it starts, I want to fork off a child process.当它开始时,我想分叉一个子进程。 That child process should drop one of its capabilities (let's say CAP_DAC_OVERRIDE
).该子进程应该放弃它的一项功能(比如说CAP_DAC_OVERRIDE
)。 The idea is that in case there's a security vulnerability in the child process, an exploit will be less scary as it can't abuse that capability.这个想法是,如果子进程中存在安全漏洞,利用将不那么可怕,因为它不能滥用该功能。 The parent process is just a broker process, which retains CAP_DAC_OVERRIDE
and will perform some actions on behalf of the unprivileged child process when it receives IPC messages from the child.父进程只是一个代理进程,它保留了CAP_DAC_OVERRIDE
,当它接收到来自子进程的IPC消息时,它会代表非特权子进程执行一些动作。
I'm able to remove this capability from every capability set in the child (inheritable, permitted, effective, and ambient) except for bounding.我可以从子项中的每个功能集(可继承的、允许的、有效的和环境的)中删除此功能,但边界除外。 The call to prctl(PR_CAPBSET_DROP)
of course requires CAP_SETPCAP
(otherwise, you get prctl(PR_CAPBSET_DROP): Operation not permitted
).对prctl(PR_CAPBSET_DROP)
的调用当然需要CAP_SETPCAP
(否则,你会得到prctl(PR_CAPBSET_DROP): Operation not permitted
)。 I know that I can make my process spawn with CAP_SETPCAP
initially and then remove it after I've changed the bounding set.我知道我最初可以使用CAP_SETPCAP
生成我的进程,然后在更改边界集后将其删除。 My question is why does Linux not allow removing a capability from your bounding set unless you hold the CAP_SETPCAP
capability?我的问题是为什么Linux 不允许从边界集中删除能力,除非你持有CAP_SETPCAP
能力? It seems odd that the Linux kernel prevents a process from reducing its own privileges. Linux kernel 阻止进程降低自己的权限似乎很奇怪。
There is a write up here for why dropping capabilities from what root receives requires some privilege: https://sites.google.com/site/fullycapable/thesendmailcapabilitiesissue .这里有一篇文章说明为什么从 root 接收的内容中删除功能需要一些特权: https://sites.google.com/site/fullycapable/thesendmailcapabilitiesissue 。
The example discussed there points out that if an unprivileged user can drop CAP_SETUID
from the bounding set, then setuid-root programs can no longer drop privileges by changing UID from root
to some other user.那里讨论的示例指出,如果非特权用户可以从边界集中删除CAP_SETUID
,则 setuid-root 程序不能再通过将 UID 从root
更改为其他用户来删除特权。
If you can trick one of these applications into leaking a process running as root
, minus that one capability, then you can probably use one of the other available capabilities for some exploit.如果您可以欺骗这些应用程序之一泄漏以root
身份运行的进程,减去该功能,那么您可能可以使用其他可用功能之一进行某些利用。 Either that, or overwrite some system file owned by root and do something nasty to the OS.要么,要么覆盖root拥有的某些系统文件并对操作系统做一些讨厌的事情。
As that write up mentions, this was used a long time ago to exploit sendmail
.正如那篇文章所提到的,这是很久以前用来利用sendmail
的。 The kernel developers considered that exploit trivial enough to exploit, that dropping root
's capabilities needed to require some privilege. kernel 开发人员认为利用微不足道的漏洞可以利用,删除root
的功能需要一些特权。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.