👉 Overview
👀 What ?
Linux Capabilities is a feature in the Linux kernel that breaks down the all-or-nothing superuser model into a set of distinct permissions or 'capabilities'. Each of these capabilities can be independently granted or restricted to any process.
🧐 Why ?
Traditionally, Unix-based systems like Linux have used a binary model of privilege: a process is either privileged (root) or unprivileged. This binary model has been a source of many security issues since any process or user with root access can perform any operation on the system. The Linux Capabilities model is designed to address this problem by providing a more fine-grained control over what a process or user can do, thereby enhancing the security of the system.
⛏️ How ?
Linux Capabilities can be managed using various commands and tools, like 'setcap' to set file capabilities, 'getcap' to display the capabilities, and 'capsh' for manipulating and analyzing capability sets. For example, to grant the 'ping' command the 'cap_net_raw' capability, you would use the command 'setcap cap_net_raw+ep /bin/ping'.
⏳ When ?
Linux Capabilities were introduced in kernel version 2.2, and have been gradually expanded and improved in subsequent releases. They are now a key part of the security architecture of any modern Linux system.
⚙️ Technical Explanations
Linux Capabilities is a key feature of the Linux kernel that increases system security by dividing absolute root power into a set of specific permissions or 'capabilities'. Each of these capabilities can be individually given or removed from a process, providing a more nuanced control over system operations than the traditional binary root (superuser) or non-root model.
Capabilities are implemented technically as a set of bitmasks tied to each process. There are three sets of these bitmasks:
- The Permitted set: This set includes the capabilities that a process has the potential to use. It's a superset of the Effective and Inheritable sets.
- The Inheritable set: This set contains the capabilities that can be passed on to child processes during a call to exec(). Not all capabilities can be inherited, and the inheritance rules are complex and depend on various factors.
- The Effective set: This set contains the capabilities that are currently active for a process. When a process tries to perform a system operation, the Linux kernel checks if the corresponding bit in this set is turned on. If it is, the operation is allowed; if not, the operation is denied.
For managing these capabilities, Linux provides several commands and tools. For instance, 'setcap' is used to assign file capabilities, 'getcap' displays the capabilities, and 'capsh' is used for manipulating and examining capability sets. For example, to grant the 'ping' command the 'cap_net_raw' capability, you would use the 'setcap cap_net_raw+ep /bin/ping' command.
Linux Capabilities, introduced in Linux kernel version 2.2, have been gradually expanded and refined in subsequent releases. Today, they form an essential part of the security architecture of any modern Linux system. By providing fine-grained control over what a process or user can do, they help to limit the potential damage that can be caused by a process running with excessive privileges.
To illustrate how Linux Capabilities work, let's go through a detailed example of managing capabilities for the 'ping' command. Ping usually requires root privileges to function because it uses raw network sockets, but with Linux Capabilities, we can give it just the permissions it needs without granting complete root access.
- Checking Current Capabilities: First, we need to check the current capabilities of the 'ping' command. We use the 'getcap' command for this purpose. The command would be:
getcap /bin/ping
If the 'ping' command has been already granted necessary capabilities, you would see:
/bin/ping = cap_net_raw+ep
2. Granting Capabilities: If 'ping' doesn't have the necessary capabilities, we can grant them using the 'setcap' command. The 'cap_net_raw' capability allows the process to use network interfaces in a raw mode, which 'ping' needs to function. The command would be:
sudo setcap cap_net_raw+ep /bin/ping
- Verifying Capabilities: After setting the capability, we can verify it again using 'getcap':
getcap /bin/ping
And you should see:
/bin/ping = cap_net_raw+ep
This process of checking, granting, and verifying capabilities can be used with any command or process, and with any set of capabilities. It's a powerful way to control exactly what a process can do, enhancing system security by reducing the need for processes to run with full root privileges.