Hi O'Beardly

On 9/9/22 13:48, Linux O'Beardly via Dng wrote:

> I was "aware" of this, but I don't know that I understood it. I'm actually not sure that I understand it now, but I'm more aware of it than I was before.
> https://medium.com/@boutnaru/linux-security-capabilities-part-1-63c6d2ceb8bf



A file with the suid permissions always execute as the user who owns the file, regardless of the user passing the command.

Let's put an example in C:


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main()
{
setuid(0);
system("apt-get update");
return 0;
}


This program will update your devuan repo. Compile the code:

$ gcc suid_example.c -o suid_example

Before trying to run it, you must change the ownership of the given binary because you'll need admin permissions:

$ sudo chown root:root suid_example

In addition, the line 'setuid(0)' in the C code requires another step to be honored:

$ sudo chmod u+s suid_example

You've given suid permissions to the file. Indeed:

$ ls -l suid_example
-rwsr-xr-x 1 root  root  16656 sep  9 21:09 suid_example

Now run the binary, and your repo will be updated:

$ ./suid_example
Des:1http://deb.devuan.org/merged chimaera InRelease [33,5 kB]
Des:2http://deb.devuan.org/merged chimaera-updates InRelease [26,1 kB]
Des:3http://deb.devuan.org/merged chimaera-security InRelease [26,2 kB]
.....
.....

On the other hand, the goal of the linux capabilities is to escalate permissions of the binary from the low privilege (effective uid is not 0) in a less risky way than using suid.
Such a binary cannot do whatever it pleases, because it's limited by the capability bounding set. Further information about linux capabilities:

https://man7.org/linux/man-pages/man7/capabilities.7.html

Consider the following program:


#include <stdio.h>
#include <stdlib.h>
#include <sys/capability.h>
#include <signal.h>

int main(int argc, char **argv)
{
kill(atoi(argv[1]), SIGTERM);
return 0;
}


In order to compile the program you need to install 'libcap-dev':

$ sudo apt-get install libcap-dev

Build the program:

$ gcc cap_example.c -o cap_example -lcap

The generated binary will terminate a concrete process, whenever the PID of the process is received as an argument in the command line.
However, if the given process is a root process, obviously you will not be able to kill it as a mortal user.
You'll need a concrete linux capability then, called CAP_KILL.

The way to get so called capability is:

$ sudo /sbin/setcap cap_kill+ep cap_example


The additional flags (+ep) mean effective-set and permitted-set. I'm not going into details.

Now open another terminal and run a root process, for the sake of example, synaptic.

You can pass the pid of the running process as an argument to the compiled binary using the following pipe:

$ pidof synaptic | xargs cap_example

... And the root process, i.e. synaptic, terminates.

HTH,

Aitor.