『Linux Capability』
For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is nonzero).
Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process‘s credentials (usually: effective UID, effective GID, and supplementary group list).
Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabili‐ties, which can be independently enabled and disabled. Capabilities are a per-thread attribute.
一、kernel配置
二、源码中权限相关注释(/usr/src/linux-*.*.*/include/linux/cred.h):
其中定义了进程的三个能力位:inheritable(I)、permitted(P)和effective(E)
- cap_permitted:当一个进程将执行某项特权操作时,操作系统会检查cap_effective中对应位是否有效,而不再检查进程euid是否为0
- cap_permitted:表示进程实际能够使用的能力,在cap_permitted中可以包含cap_effective中没有的能力
- cap_inheritable表示能够被目标程序启动的子进程继承的能力
三、setcap、getcap:用户层的用途是,将系统中具有suid、sgid权限位的文件,以更安全的capability机制管理,减少潜在的程序漏洞带来的危害
root # find / -perm /4000 root # find / -perm /2000
『应用示例 一』
ping只需要CAP_NET_RAW能力,即可在具有x权限的环境中执行,并不需要suid权限
/* CAP_NET_RAW:use RAW and PACKET sockets;bind to any address for transparent proxying */
root # chown u-s /bin/ping root # setcap CAP_NET_RAW+ep /bin/ping root # getcap /bin/ping /bin/ping = cap_net_raw+ep
『应用示例 二』
使普通用户可执行iftop
root # setcap CAP_NET_RAW+ep /usr/sbin/iftop
『应用示例 三』
使普通用户可以使用chvt切换虚拟工作台
root # setcap cap_dac_read_search,cap_sys_tty_config+ep /usr/bin/chvt