Traditionally, Linux Kernel distinguishes its processes with the following
Privileged Processes: These processes allow the user to bypass all Kernel permission checks.
Unprivileged Processes: These processes are subject to full permission checks, such as the effective UID, GID, and supplementary group list.
Granting full privileged access to a user process might induce system abuse, like unauthorized changes of data, backdoors, changing ACL, etc.
Linux 2.2 shipped with a solution called Capabilities. Capabilities allows the developer to grant binaries/files specific permissions.
Example Link to heading
Let’s say we want to start a Simple HTTP Server module of Python on port 80 with a non-privileged user. If we try to start the process without granting any capabilities, we will get the following error:
[email protected]:$ python -m SimpleHTTPServer 80 Traceback (most recent call last): File "/usr/lib/python2.7/runpy.py", line 174, in \_run_module_as_main "**main**", fname, loader, pkg_name) File "/usr/lib/python2.7/runpy.py", line 72, in \_run_code ... File "/usr/lib/python2.7/socket.py", line 228, in meth return getattr(self.\_sock,name)(\*args) socket.error: [Errno 13] Permission denied
Let’s add the
CAP_NET_BIND_SERVICE capability to our Python binary.
sudo setcap 'CAP_NET_BIND_SERVICE+ep' /usr/bin/python2.7
The above command states that we are adding the
capability to our
+ep indicates that the file is
Effective and Permitted ( “-” would remove it).
Now let’s try to run the Python Simple HTTP Server module again on port 80:
[email protected]:$ python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ... 172.28.128.1 - - [06/Jul/2017 11:30:13] "GET / HTTP/1.1" 200 - 172.28.128.1 - - [06/Jul/2017 11:30:13] code 404, message File not found 172.28.128.1 - - [06/Jul/2017 11:30:13] "GET /favicon.ico HTTP/1.1" 404 - 172.28.128.1 - - [06/Jul/2017 11:30:13] code 404, message File not found 172.28.128.1 - - [06/Jul/2017 11:30:13] "GET /favicon.ico HTTP/1.1" 404 -
We are now able to serve traffic over privileged port 80 with a non-privileged user.
At the time of writing this article, there are over 40 capabilities which can be assigned per requirement.
There are 3 modes for Capabilities:
e: Effective - This indicates that the capability is “activated.”
p: Permitted - This indicates that the capability can be used.
i: Inherited - This indicates that the capability is inherited by child elements/subprocesses.
Capabilities provide a concise and efficient way to assign privileged permissions to non-privileged users.