1. Primary access rights in Linux
2. Capabilities in Linux
3. Testing capabilities in Linux
1. Primary access rights in Linux.
In Linux, the primary access rights to a file are visible after the ls call with the -l option. These can be seen in the first field of an entry corresponding to a file.
This 10-character field is made up of four sub-fields. The first sub-field consists of a single character that identifies the file type (‘-‘ normal file, ‘d’ directory, ‘p’ name pipe, etc.).
The following subcategories identify access rights to the file. Each of the sub-campaigns indicating the rights are made up of three characters that can be ‘-‘ in the case that there is no right or meaning in order:
1. There is a right to read
2. ‘w ‘there is a writing right
3. ‘x ‘there is a right to execution
A sub-field which would indicate full rights would be ‘rwx’. The first of the rights sub-folders is associated with the file owner, the next group that belongs to it, and the last of the rest of the users.
Thus, a set of read access, write and execute permissions for the owner of a regular, and read-only file would look like this: -rwxr -r–.
In the case of directories, the right to execute refers to the right to change the current path to that director and actually access its content, not to list its contents (this is the right to read). When a director, instead of the execution right ‘x’, meets ‘t’, it means that the directory has a so-called bit set. This means deleting or modifying files within that directory can only be done by their owners.
Another value that can be encountered instead of the regular execution law ‘x’ is ‘s’, indicating after location in the rights sub-file that a file has set a SUID (Set User ID) bit or a SGID bit Set Group ID. This bit shows that the file execution will be performed by anyone with the permissions of the owner or the group to which it belongs. The main use of this mechanism is to allow other users to execute an order that requires root rights.
Changing access rights can be done through the chmod command [user category] [+ – =] [rights] [path]. The user category shows which users (sub-field from the rights field) apply to the change and can be ‘u’ – owner, ‘g’ – group, ‘o’ – others or ‘a’ – all categories. ‘+’, ‘-‘ or ‘=’ indicates adding, removing, or directly setting rights to, or instead of, existing ones. Rights are specified by the associated characters specified above (‘r’, ‘w’, ‘x’, etc.).
2. Capabilities in Linux:
In Linux, there are a number of operations that require a privileged access level (superuser, root). Executable files that have the SUID bit set (described in the previous section) have the right to perform operations that require root as root (if the file owner is root). Setting the SUID bit can open security flaws. If an executable that has the SUID bit is corrupted, then an attacker can get root privileges on the system. Because of this, the ability to set capabilities on an executable was introduced. They allow a particular set of privileged operations associated with each capability.
When a program is running, the operating system checks the capabilities associated with that executable and allows it to run strictly on them (eg, the ability to create raw sockets).
By increasing the level of granularity of the level of rights granted, the risk that an unauthorized user obtains extended rights in the system is reduced.
3. Testing capabilities in Linux
Assigning capabilities to an executable is done through the setcap command. A simple form of appeal would be the following:
setcap [capability_name] = [capabilities flag] [program]
If we want to assign more capabilities, enumerating them is done with a comma. Flags that can be associated with the assigned set of capabilities are as follows:
p – allowed: the capabilities allowed for that program, which are not necessarily active (in function)
e – effective: the actual capabilities for the program (always a subset of those with the flag p)
i – inheritable: the capabilities that can be transmitted by the program to another process that it launches.
Obtaining the capabilities associated with a program can be done through the getcap command. Eliminate the associated capabilities entirely by using the setcap command using the -r option.
Some of the existing capabilities and a (partial) series of associated privileges are as follows:
cap_net_raw – the ability to open a raw socket
cap_dac_read_search – Ability to ignore primary read rights on files, and read and execute directories
cap_dac_override – capability to ignore primary read, write, execution rights
cap_chown – the ability to make changes to the user or group owner for a file
cap_fowner – Ability to ignore permission checks for certain operations that require the processor user to be the same as the owner of a file affected by the process (eg chmod; operations such as copying, renaming, etc. in some situations a file with another owner than the respective order)
cap_setuid – ability to arbitrarily manipulate the user’s identifier for a process
cap_kill – Ability to ignore permission checks for sending signals