5

I'm trying to use capsh to grant myself a shell with no capabilities at all with a certain user. This is so I can test security stuff related to being non-root but with only certain capabilities.

Basically I'd like to get a shell running with something similar to this. This would emulate the state under which the test program runs.

capsh --print
Current: =
Bounding set =
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=10101(u0_a101)
gid=10101(u0_a101)
groups=9997(everybody),50101(all_a101)

Then I'd like to be able to run capsh again to grant the user some capabilities and/or change uid/gid if it's at all possible.

I haven't found any good tutorials on capsh if anyone has a good reference.

http://man7.org/linux/man-pages//man1/capsh.1.html

David
  • 3,324
  • 2
  • 27
  • 31

1 Answers1

5

  1. List current capabilities

    capsh --print
Current: =
Bounding set=cap_chown,cap_dac_override,[...]
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=1000(user)
gid=1000(user)
groups=4(adm),10101(u0_a101)

  2. Drop all capabilities from 1. Bounding section:

    capsh --drop=cap_chown,cap_dac_override,[...]

  1. + switch user and group:

    capsh --gid=10101 --drop=cap_chown,cap_dac_override,[...] --uid=10101

  1. + join groups

    capsh --gid=10101 --drop=cap_chown,cap_dac_override,[...] \
--uid=10101 --groups=9997,50101

  1. + execute application

    capsh --gid=10101 --drop=cap_chown,cap_dac_override,[...] \
--uid=10101 --groups=9997,50101 -- -c 'ping 127.0.0.1'
Murmel
  • 5,402
  • 47
  • 53