1libcap-ng 2========= 3 4The libcap-ng library should make programming with POSIX capabilities 5easier. The library has some utilities to help you analyse a system 6for apps that may have too much privileges. 7 8The included utilities are designed to let admins and developers spot apps from various ways that may be running with too much privilege. For example, any investigation should start with network facing apps since they would be prime targets for intrusion. The netcap program will check all running apps that have listening socket and display the results. Sample output from netcap: 9 10``` 11ppid pid acct command type port capabilities 121 2295 root nasd tcp 8000 full 132323 2383 root dnsmasq tcp 53 net_admin, net_raw + 141 2286 root sshd tcp 22 full 151 2365 root cupsd tcp 631 full 161 2286 root sshd tcp6 22 full 171 2365 root cupsd tcp6 631 full 182323 2383 root dnsmasq udp 53 net_admin, net_raw + 192323 2383 root dnsmasq udp 67 net_admin, net_raw + 201 2365 root cupsd udp 631 full 21``` 22After checking the networking apps, you should check all running apps with 23pscap. If you are a developer and have to give your application 24CAP_DAC_OVERRIDE, you must be accessing files for which you have no permission 25to access. This typically can be resolved by having membership in the correct 26groups. Try to avoid needing CAP_DAC_OVERRIDE...you may as well be root if you 27need it. 28 29Some application developers have chosen to use file system base capabilities 30rather than be setuid root and have to drop capabilities. Libcap-ng provides 31filecap to recursively search directories and show you which ones have 32capabilities and exactly what those are. 33 34C Examples 35---------- 36As an application developer, there are probably 6 use cases that you are 37interested in: drop all capabilities, keep one capability, keep several 38capabilities, check if you have any capabilities at all, check for certain 39capabilities, and retain capabilities across a uid change. 40 411) Drop all capabilities 42 ```c 43 capng_clear(CAPNG_SELECT_BOTH); 44 capng_apply(CAPNG_SELECT_BOTH); 45 ``` 46 472) Keep one capability 48 ```c 49 capng_clear(CAPNG_SELECT_BOTH); 50 capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_CHOWN); 51 capng_apply(CAPNG_SELECT_BOTH); 52 ``` 53 543) Keep several capabilities 55 ```c 56 capng_clear(CAPNG_SELECT_BOTH); 57 capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SETUID, CAP_SETGID, -1); 58 capng_apply(CAPNG_SELECT_BOTH); 59 ``` 60 614) Check if you have any capabilities 62 ```c 63 if (capng_have_capabilities(CAPNG_SELECT_CAPS) > CAPNG_NONE) 64 do_something(); 65 ``` 66 675) Check for a specific capability 68 ```c 69 if (capng_have_capability(CAPNG_EFFECTIVE, CAP_CHOWN)) 70 do_something(); 71 ``` 72 736) Retain capabilities across a uid change 74 ```c 75 capng_clear(CAPNG_SELECT_BOTH); 76 capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_CHOWN); 77 if (capng_change_id(99, 99, CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING)) 78 error(); 79 ``` 80 81Now, isn't that a lot simpler? Note that the last example takes about 60 lines 82of code using the older capabilities library. As of the 0.6 release, there is 83a m4 macro file to help adding libcap-ng to your autotools config system. In 84configure.ac, add LIBCAP_NG_PATH. Then in Makefile.am locate the apps that 85link to libcap-ng, add $(CAPNG_LDADD) to their LDADD entries. And lastly, 86surround the optional capabilities code with #ifdef HAVE_LIBCAP_NG. 87 88Python 89------ 90Libcap-ng 0.6 and later has python bindings. (Only python3 is supported from 0.8.4 onward.) You simply add 'import capng' in your script. Here are the same examples as above in python: 91 921) Drop all capabilities 93 ```python 94 capng.capng_clear(capng.CAPNG_SELECT_BOTH) 95 capng.capng_apply(capng.CAPNG_SELECT_BOTH) 96 ``` 97 982) Keep one capability 99 ```python 100 capng.capng_clear(capng.CAPNG_SELECT_BOTH) 101 capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE|capng.CAPNG_PERMITTED, capng.CAP_CHOWN) 102 capng.capng_apply(capng.CAPNG_SELECT_BOTH) 103 ``` 104 1053) Keep several capabilities 106 ```python 107 capng.capng_clear(capng.CAPNG_SELECT_BOTH) 108 capng.capng_updatev(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE|capng.CAPNG_PERMITTED, capng.CAP_SETUID, capng.CAP_SETGID, -1) 109 capng.capng_apply(capng.CAPNG_SELECT_BOTH) 110 ``` 111 1124) Check if you have any capabilities 113 ```python 114 if capng.capng_have_capabilities(capng.CAPNG_SELECT_CAPS) > capng.CAPNG_NONE: 115 do_something() 116 ``` 117 1185) Check for a specific capability 119 ```python 120 if capng.capng_have_capability(capng.CAPNG_EFFECTIVE, capng.CAP_CHOWN): 121 do_something() 122 ``` 123 1246) Retain capabilities across a uid change 125 ```python 126 capng.capng_clear(capng.CAPNG_SELECT_BOTH) 127 capng.capng_update(capng.CAPNG_ADD, capng.CAPNG_EFFECTIVE|capng.CAPNG_PERMITTED, capng.CAP_CHOWN) 128 if capng.capng_change_id(99, 99, capng.CAPNG_DROP_SUPP_GRP | capng.CAPNG_CLEAR_BOUNDING) < 0: 129 error() 130 ``` 131 132The one caveat is that printing capabilities from python does not work. But 133you can still manipulate capabilities, though. 134 135Ambient Capabilities 136-------------------- 137Ambient capabilities arrived in the 4.3 Linux kernel. Ambient capabilities 138allow a privileged process to bestow capabilities to a child process. This 139is how systemd grants capabilities to a daemon running in a service account. 140The problem with ambient capabilities is they are inherited forever. Every 141process exec'ed from the original service also has the capabilities. This is 142a security issue. 143 144To find and fix this, you can run the pscap program and grep for '@'. The '@' 145symbol denotes processes that have ambient capabilities. For example: 146 147``` 148# pscap | grep @ 1491 1655 systemd-oom systemd-oomd dac_override, kill @ + 1501 1656 systemd-resolve systemd-resolve net_raw @ + 151 152``` 153 154To fix this, libcap-ng 0.8.3 and later ships libdrop_ambient.so.0. It is 155designed to be used with LD_PRELOAD. It has a constructor function that forces 156the dropping of ambient capabilities. By the time the application starts, it 157has both effective and ambient capabilities - meaning is safe to drop ambient 158capabilities very early. You can either link it to an application run as a 159systemd service (using ld), or create a wrapper script that then starts the 160daemon. 161 162Building 163-------- 164 165After cloning libcap-ng, run: 166 167``` 168cd libcap-ng 169./autogen.sh 170./configure 171make 172make install 173``` 174 175If you want python bindings, add that option to the configure command. There is also a spec file to use if you are on a rpm based distribution. To do that, run "make dist" instead of make in the above instructions. Then use the resulting tar file with the spec file. 176 177NOTE: to distributions 178---------------------- 179There is a "make check" target. It only works if the available kernel headers 180roughly match the build root kernel. Iow, if you have a chroot build system 181that is using a much older kernel, the macros in the kernel header files will 182describe functionality that does not exist in the build root. The capng_init 183function will probe the kernel and decide we can only do v1 rather than v3 184capabilities instead of what the kernel headers said was possible. If that is 185your case, just don't do the "make check" as part of the build process. This 186problem should go away as build roots eventually switch to the 5.0 or later 187kernels. 188 189Reporting 190--------- 191Report any bugs in this package to: 192https://github.com/stevegrubb/libcap-ng/issue 193 194