Reprint: Linux capability in-depth analysis

Go to http://www.cnblogs.com/iamfy/archive/2012/09/20/2694977.html

A) Overview:

1) starting with version 2.1, the Linux kernel has the ability (capability) concept that it breaks the concept of super users/ordinary users in the Unix/linux operating system, and can be done only by the superuser. 2) Capability can function on the process (limited), it can also act on the program file, it is different from sudo, sudo only for user/program/file overview, sudo can configure a user can execute a command, you can change a file, And capability is to let a program have some kind of ability, for example: capability let/tmp/testkill program can kill other processes, but it cannot mount the device node to the directory, nor restart the system, because we only specified its ability to kill, Even if the program has a problem, it will not go beyond the scope of ability. 3) Each process has three bitmap-related bitmaps: inheritable (I), permitted (P), and effective (E), corresponding to the process descriptor Task_struct (include/linux/ SCHED.H) inside the cap_effective, cap_inheritable, cap_permitted, so we can view/proc/pid/status to view the process's ability. 4) Cap_effective: When a process is to perform a privileged operation, the operating system checks that the corresponding bit of the cap_effective is valid, and no longer checks whether the valid UID of the process is 0. For example, if a process is to set the system's clock, the Linux kernel will check the CAP_ Whether the Cap_sys_time bit (25th bit) of the effective is valid. 5) cap_permitted: Indicates the ability of the process to be able to use, in cap_permitted can contain the ability not in cap_effective, These abilities are temporarily abandoned by the process itself, or it can be said that Cap_effective is a subset of cap_permitted. 6) Cap_inheritable: Represents the ability to inherit from a program executed by the current process. #include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>

#undef _posix_source
#include <sys/capability.h>

extern int errno;

void WhoAmI (void)
{
printf ("Uid=%i euid=%i gid=%i\n", Getuid (), Geteuid (), Getgid ());
}

void Listcaps ()
{
cap_t caps = Cap_get_proc ();
Ssize_t y = 0;
printf ("The process%d was give capabilities%s\n",
(int) getpid (), Cap_to_text (Caps, &y));
Fflush (0);
Cap_free (Caps);
}

int main (int argc, char **argv)
{
int stat;
WhoAmI ();
Stat = setuid (Geteuid ());
pid_t parentpid = Getpid ();

if (!parentpid)
return 1;
cap_t caps = Cap_init ();


cap_value_t Caplist[5] =
{Cap_net_raw, Cap_net_bind_service, Cap_setuid, cap_setgid,cap_setpcap};
unsigned num_caps = 5;
Cap_set_flag (Caps, cap_effective, Num_caps, Caplist, Cap_set);
Cap_set_flag (Caps, cap_inheritable, Num_caps, Caplist, Cap_set);
Cap_set_flag (Caps, cap_permitted, Num_caps, Caplist, Cap_set);

if (Cap_set_proc (caps)) {
Perror ("Capset ()");

return exit_failure;
}
Listcaps (); printf ("dropping caps\n");
Cap_clear (Caps); Resetting caps Storage

if (Cap_set_proc (caps)) {
Perror ("Capset ()");
return exit_failure;
}
Listcaps (); Cap_free (Caps);
return 0;}

Compile:

GCC Capsettest.c-o capsettest-lcap  cannot be found at compile time sys/capability.h need to install Libcap (http://www.man7.org/linux/man-pages/ man8/setcap.8.html) or Apt-get install Libcap-dev run:./capsettest uid=0  euid=0  gid=0the Process 2383 was give capabilities = Cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw+eipdropping CapsThe Process 2383 was give capabilities =  Note: 1) We have added 5 capabilities to the process and then cleared all capabilities. 2) First initialize the state of the CAP capability value by Cap_init () and then through the cap_set_ The call of the flag function sets the ability of the three bitmaps to the variable caps, and then sets the capacity value of the current process through Cap_set_proc (caps), returning the current process's capability value through Cap_get_proc (), and finally passing the Cap_free (caps) The release capability value. 3) The prototype of the Cap_set_flag function is: int cap_set_flag (cap_t cap_p, cap_flag_t flag, int ncap,const cap_value_t *caps, Cap_flag_ value_t value);  Our invocation statements here are: Cap_set_flag (Caps, cap_permitted, Num_caps, Caplist, Cap_set); The first parameter cap_p is the variable that holds the capacity value, is the set value. Here is the caps. The second parameter, flag, is a bitmap of three capabilities, here is cap_permitted. The third parameter NCAP is the number of capabilities to set, here is Num_caps, that is, 5. The fourth parameter *caps is the ability value to set Here is the caplist array, which is Cap_net_raw, Cap_net_bind_service, Cap_setuid, Cap_setgid,cap_setpcap. The fifth parameter, value, determines whether to set or clear, here is Cap_set. 4) The prototype of the CAP_SET_PROC function is: int cap_set_proc (cap_t cap_p); Cap_set_proc function is set to the current process by the capability value in Cap_p.  5) The prototype of the Cap_get_proc function is: cap_t cap_get_proc (void); The Cap_get_proc function returns the capability value of the current process to the CAP variable.  6) The prototype of the Cap_free function is: Cap_free (Caps The Cap_free function cleans/releases the CAP variable.  7) if we fork () the child process, the child process inherits all the capabilities of the parent process.  8) You cannot set the cap_effective,cap_inheritable bitmap individually, Must be associated with cap_permitted, and cap_permitted must be a superset of the other two bitmaps.  9) If you call the Cap_set_proc function two times, The value force value of the second call cannot be less than or more than the first call. For the first time we authorize chown,setuid ability, the second time can only be chown,setuid can not be other ability value.  10) Normal user cannot set the ability to process .   three) The ability mask of the process: we can get the mask of the current process through the following program, it is through the Capget function to get the ability mask of the specified process, of course, we can also use Capset to set the mask, the following to obtain the embodiment of the mask: #undef _posix_source# Include <stdlib.h> #include <stdio.h> #include <sys/types.h> #include <unistd.h> #include < Linux/capability.h> #include <errno.h> int main () {     struct __user_cap_header_struct cap_header_data;     cap_user_header_t cap_header = &cap_header_data;       struct __user_cap_data_struct CAP_data_data;     cap_user_data_t cap_data = &cap_data_data;      cap_header-> PID = Getpid ();     cap_header->version = _linux_capability_version_1;      if ( Capget (Cap_header, Cap_data) < 0) {         perror ("Failed capget");      &NBSP ;  exit (1);     }     printf ("Cap data 0x%x, 0x%x, 0x%x\n", cap_data->effective,& nbsp        cap_data->permitted, cap_data->inheritable);}

GCC Capget0.c-o capget0-lcap

Normal User:./capget0 cap Data 0x0, 0x0, 0x0 Super User:/home/test/capget0 cap data 0xFFFFFFFF, 0xFFFFFFFF, 0x0 This also shows what the process of root runs by default Permissions are available, and ordinary users do not have any permissions.

Reprint: Linux capability in-depth analysis