3

The capabilities manpage is rather long and I do not fully understand some things.

How would look, for example, a function that decides whether we have access to CAP_NET_RAW?

Input:

  • a = Effective uid is 0
  • b = There are some real/saved/whatever uid that is 0
  • c = CAP_NET_RAW is +e
  • d = CAP_NET_RAW is +i
  • e = CAP_NET_RAW is +p
  • f = CAP_NET_RAW is excluded from the "bounding set"

Output:

  • x = we can now call socket and not get EPERM
  • y = after some trickery (not involving filesystem-based chmod +s or setcap access elevations or connecting to external helpers), e.g. with capsetp we can finally allow ourselves to open the raw socket.

As I currently understand it is something like this:

  • x = !f && (a || c)
  • y = !f && (b || a || c || e)

How is it in reality?

tomix86
  • 1,336
  • 2
  • 18
  • 29
Vi.
  • 37,014
  • 18
  • 93
  • 148
  • If the effective UID is 0, then you still need to have `CAP_NET_RAW` in either the permitted or the effective set (but when the uid is changed to 0, the P set gets copied to the E set), so IIUC `x = !f && (c || a && e)`. – Fred Foo Jan 31 '13 at 16:26

1 Answers1

0

Read the docs a bit more, now it seems like it is this:

x = c
can_regain_caps_without_execve = (a || b) && !NO_NEW_PRIVS && (!SECBIT_NO_SETUID_FIXUP || ( CAP_SETPCAP && !SECBIT_NO_SETUID_FIXUP_LOCKED))
y = c || e || can_regain_caps_without_execve

I.e.

  • Zero/nonzero uid is only meaningful when it changes and "root hacks" are active;
  • Only effective capabilities are used for checks; everything else is capability management;
  • Bounding set and inherited capabilities are about execve => out of scope for this answer.
Vi.
  • 37,014
  • 18
  • 93
  • 148