scsijon
2014-10-15 09:10:30 UTC
I thought I would do some research, having not known about lcap and
alweays interested in this sort of thing.
The following is a summary of my resultant finds. I must say it was hard
to find anything decent and I tend on the idea of the lcap package as a
'quickfix' for a new kernel config group that was later properly
internally incorporated.
-------------------
lcap Editor
Linux Kernel 2.2.11 added the capabilities for kernel-based access
control and the package LCAP-0.0.6 was created to deal with that,
however it can only deal with system-wide control.
Since kernel 2.5.27, capabilities are an optional kernel
component, and can be enabled/disabled via the
CONFIG_SECURITY_CAPABILITIES kernel configuration option, removing the
'need' for a lcap package.
From Linux 2.6.25, the capability bounding set is a per-thread
attribute. There is no longer a system-wide capability bounding set.
The libcap package provides a suite of routines for setting and
getting capabilities that is more comfortable and less likely to
change than the interface provided by capset(2) and capget(2). This
package also provides the setcap(8) and getcap(8) programs.
---------------------------------------------------
*Programmatically adjusting capability sets
A thread can retrieve and change its capability sets using the
capget(2) and capset(2) system calls. However, the use of
cap_get_proc(3) and cap_set_proc(3), both provided in the libcap
package, is preferred for this purpose.
For 3.x.x series kernels libcap2 can be found at
https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2, with
the current Version at 2.24.
As far as I can work out, from a lot of reading on the net, the lcap
editor only worked with the interim (system-wide) set and this is why it
has dissapeared.
-----------------------------------------------------------
LCAP - Linux Kernel Capability Remover 0.0.6 README
Copyright (C) 1999-2000 ***@ix.netcom.com
"Capabilities" are a form of kernel-based access control. Linux kernel
versions 2.2.11 and greater include the idea of a "capability bounding set".
The bounding set is a list of capabilities that can be held by any process
on the system. If a capability is removed from the bounding set, the
capability may not be used by any process on the system (even processes
owned by root!).
LCAP allows a system administrator to remove specific capabilities
from the kernel in order to make the system more secure.
LCAP modifies the value in the sysctl file "/proc/sys/kernel/cap-bound".
For example, if a system administrator wishes to disallow the loading
of kernel modules, the following command line would be executed:
lcap CAP_SYS_MODULE
LCAP would then remove the capability from the bounding set. No more
modules may be loaded into the kernel on this system.
The only process that may add capabilities back to the kernel is
init. Capabilities that have been removed are added again at the
next system boot. LCAP would be a handy program to call in
/etc/rc.d/rc.local in order to set up the desired security of your
system
LCAP also has the ability to set certain functionality in the Linux
Intrusion Detection System (LIDS) kernel patch
(http://www.turbolinux.com.cn/lids/).
Messing around with LCAP can severly mess up your system, so be very
careful. You may need to reboot quite often when testing out
the deletion of various capabilities.
Syntax:
lcap -h
Shows a help message.
lcap
Shows current settings.
lcap [-v[v]] capability ...
Remove capabilities (using either name or bit number) from bounding
set. The -v[v] option provides verbose and more verbose messages.
lcap [-v[v]] -z capability ...
Zero out the bounding set except for the capabilities listed.
This allows for shorter command lines if more capabilities are to
be zeroed out than kept.
bit capability (short description)
----------------------------------
00 CAP_CHOWN (chown(2)/chgrp(2)) ---------------------------------------+
01 CAP_DAC_OVERRIDE (DAC access) --------------------------------------+|
02 CAP_DAC_READ_SEARCH (DAC read) ------------------------------------+||
03 CAP_FOWNER (owner ID not equal to user ID) -----------------------+|||
04 CAP_FSETID (effective user ID not equal to owner ID) ------------+||||
05 CAP_KILL (real/effective ID not equal to process ID) -----------+|||||
06 CAP_SETGID (setgid(2)) ----------------------------------------+||||||
07 CAP_SETUID (set*uid(2)) --------------------------------------+|||||||
08 CAP_SETPCAP (transfer capability) ---------------------------+||||||||
09 CAP_LINUX_IMMUTABLE (immutable and append file attributes) -+|||||||||
10 CAP_NET_BIND_SERVICE (binding to ports below 1024) --------+||||||||||
11 CAP_NET_BROADCAST (broadcast/listening to multicast) -----+|||||||||||
12 CAP_NET_ADMIN (interface/firewall/routing changes) ------+||||||||||||
13 CAP_NET_RAW (raw sockets) ------------------------------+|||||||||||||
14 CAP_IPC_LOCK (locking of shared memory segments) ------+||||||||||||||
15 CAP_IPC_OWNER (IPC ownership checks) -----------------+|||||||||||||||
16 CAP_SYS_MODULE |||||||||||||||
(insertion and removal of kernel modules) ---------+||||||||||||||||
17 CAP_SYS_RAWIO (ioperm(2)/iopl(2) access) -----------+|||||||||||||||||
18 CAP_SYS_CHROOT (chroot(2)) ------------------------+||||||||||||||||||
19 CAP_SYS_PTRACE (ptrace(2)) -----------------------+|||||||||||||||||||
20 CAP_SYS_PACCT ||||||||||||||||||||
(configuration of process accounting) ---------+||||||||||||||||||||
21 CAP_SYS_ADMIN (tons of admin stuff) ------------+|||||||||||||||||||||
22 CAP_SYS_BOOT (reboot(2)) ----------------------+||||||||||||||||||||||
23 CAP_SYS_NICE (nice(2)) -----------------------+|||||||||||||||||||||||
24 CAP_SYS_RESOURCE (setting resource limits) --+||||||||||||||||||||||||
25 CAP_SYS_TIME (setting system time) ---------+|||||||||||||||||||||||||
26 CAP_SYS_TTY_CONFIG (tty configuration) ----+||||||||||||||||||||||||||
|||||||||||||||||||||||||||
kernel_cap_t 00000000000000000000000000000000
LIDS Functionality
functionality (short description)
---------------------------------
LIDS_INIT (protect all children of init)
LIDS_FIREWALL (lock IP firewall rules)
LIDS_MODULE (disallow module loading/unloading)
LIDS_MOUNT (disallow mounting/unmounting)
LIDS_RELOAD (reload configuration file)
Author:
***@ix.netcom.com
Take a look at the following file for more information:
/usr/include/linux/capability.h
Take a look at the following URLs for more information:
http://www.netcom.com/~spoon/lcap/
http://www.lwn.net/1999/1202/kernel.phtml
http://www.lwn.net/1999/1202/capabilities.phtml
----
$Id: README,v 1.5 2000/01/22 17:02:26 spoon Exp $
-------------------------------------------------------
alweays interested in this sort of thing.
The following is a summary of my resultant finds. I must say it was hard
to find anything decent and I tend on the idea of the lcap package as a
'quickfix' for a new kernel config group that was later properly
internally incorporated.
-------------------
lcap Editor
Linux Kernel 2.2.11 added the capabilities for kernel-based access
control and the package LCAP-0.0.6 was created to deal with that,
however it can only deal with system-wide control.
Since kernel 2.5.27, capabilities are an optional kernel
component, and can be enabled/disabled via the
CONFIG_SECURITY_CAPABILITIES kernel configuration option, removing the
'need' for a lcap package.
From Linux 2.6.25, the capability bounding set is a per-thread
attribute. There is no longer a system-wide capability bounding set.
The libcap package provides a suite of routines for setting and
getting capabilities that is more comfortable and less likely to
change than the interface provided by capset(2) and capget(2). This
package also provides the setcap(8) and getcap(8) programs.
---------------------------------------------------
*Programmatically adjusting capability sets
A thread can retrieve and change its capability sets using the
capget(2) and capset(2) system calls. However, the use of
cap_get_proc(3) and cap_set_proc(3), both provided in the libcap
package, is preferred for this purpose.
For 3.x.x series kernels libcap2 can be found at
https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2, with
the current Version at 2.24.
As far as I can work out, from a lot of reading on the net, the lcap
editor only worked with the interim (system-wide) set and this is why it
has dissapeared.
-----------------------------------------------------------
LCAP - Linux Kernel Capability Remover 0.0.6 README
Copyright (C) 1999-2000 ***@ix.netcom.com
"Capabilities" are a form of kernel-based access control. Linux kernel
versions 2.2.11 and greater include the idea of a "capability bounding set".
The bounding set is a list of capabilities that can be held by any process
on the system. If a capability is removed from the bounding set, the
capability may not be used by any process on the system (even processes
owned by root!).
LCAP allows a system administrator to remove specific capabilities
from the kernel in order to make the system more secure.
LCAP modifies the value in the sysctl file "/proc/sys/kernel/cap-bound".
For example, if a system administrator wishes to disallow the loading
of kernel modules, the following command line would be executed:
lcap CAP_SYS_MODULE
LCAP would then remove the capability from the bounding set. No more
modules may be loaded into the kernel on this system.
The only process that may add capabilities back to the kernel is
init. Capabilities that have been removed are added again at the
next system boot. LCAP would be a handy program to call in
/etc/rc.d/rc.local in order to set up the desired security of your
system
LCAP also has the ability to set certain functionality in the Linux
Intrusion Detection System (LIDS) kernel patch
(http://www.turbolinux.com.cn/lids/).
Messing around with LCAP can severly mess up your system, so be very
careful. You may need to reboot quite often when testing out
the deletion of various capabilities.
Syntax:
lcap -h
Shows a help message.
lcap
Shows current settings.
lcap [-v[v]] capability ...
Remove capabilities (using either name or bit number) from bounding
set. The -v[v] option provides verbose and more verbose messages.
lcap [-v[v]] -z capability ...
Zero out the bounding set except for the capabilities listed.
This allows for shorter command lines if more capabilities are to
be zeroed out than kept.
bit capability (short description)
----------------------------------
00 CAP_CHOWN (chown(2)/chgrp(2)) ---------------------------------------+
01 CAP_DAC_OVERRIDE (DAC access) --------------------------------------+|
02 CAP_DAC_READ_SEARCH (DAC read) ------------------------------------+||
03 CAP_FOWNER (owner ID not equal to user ID) -----------------------+|||
04 CAP_FSETID (effective user ID not equal to owner ID) ------------+||||
05 CAP_KILL (real/effective ID not equal to process ID) -----------+|||||
06 CAP_SETGID (setgid(2)) ----------------------------------------+||||||
07 CAP_SETUID (set*uid(2)) --------------------------------------+|||||||
08 CAP_SETPCAP (transfer capability) ---------------------------+||||||||
09 CAP_LINUX_IMMUTABLE (immutable and append file attributes) -+|||||||||
10 CAP_NET_BIND_SERVICE (binding to ports below 1024) --------+||||||||||
11 CAP_NET_BROADCAST (broadcast/listening to multicast) -----+|||||||||||
12 CAP_NET_ADMIN (interface/firewall/routing changes) ------+||||||||||||
13 CAP_NET_RAW (raw sockets) ------------------------------+|||||||||||||
14 CAP_IPC_LOCK (locking of shared memory segments) ------+||||||||||||||
15 CAP_IPC_OWNER (IPC ownership checks) -----------------+|||||||||||||||
16 CAP_SYS_MODULE |||||||||||||||
(insertion and removal of kernel modules) ---------+||||||||||||||||
17 CAP_SYS_RAWIO (ioperm(2)/iopl(2) access) -----------+|||||||||||||||||
18 CAP_SYS_CHROOT (chroot(2)) ------------------------+||||||||||||||||||
19 CAP_SYS_PTRACE (ptrace(2)) -----------------------+|||||||||||||||||||
20 CAP_SYS_PACCT ||||||||||||||||||||
(configuration of process accounting) ---------+||||||||||||||||||||
21 CAP_SYS_ADMIN (tons of admin stuff) ------------+|||||||||||||||||||||
22 CAP_SYS_BOOT (reboot(2)) ----------------------+||||||||||||||||||||||
23 CAP_SYS_NICE (nice(2)) -----------------------+|||||||||||||||||||||||
24 CAP_SYS_RESOURCE (setting resource limits) --+||||||||||||||||||||||||
25 CAP_SYS_TIME (setting system time) ---------+|||||||||||||||||||||||||
26 CAP_SYS_TTY_CONFIG (tty configuration) ----+||||||||||||||||||||||||||
|||||||||||||||||||||||||||
kernel_cap_t 00000000000000000000000000000000
LIDS Functionality
functionality (short description)
---------------------------------
LIDS_INIT (protect all children of init)
LIDS_FIREWALL (lock IP firewall rules)
LIDS_MODULE (disallow module loading/unloading)
LIDS_MOUNT (disallow mounting/unmounting)
LIDS_RELOAD (reload configuration file)
Author:
***@ix.netcom.com
Take a look at the following file for more information:
/usr/include/linux/capability.h
Take a look at the following URLs for more information:
http://www.netcom.com/~spoon/lcap/
http://www.lwn.net/1999/1202/kernel.phtml
http://www.lwn.net/1999/1202/capabilities.phtml
----
$Id: README,v 1.5 2000/01/22 17:02:26 spoon Exp $
-------------------------------------------------------