esperienza capabilities


cosa sono e come si usano le capabilities

risultato comandi su 3 distribuzioni:

--------------------------------------------------
ubuntu 14.04 (libcap2-bin)

sacarde@sacarde-vm:~$ getcap `which ping`
/bin/ping = cap_net_raw+p

sacarde@sacarde-vm:~$ getcap `which beep`


sacarde@sacarde-vm:~$ lsattr `which beep`
-------------e-- /usr/bin/beep

sacarde@sacarde-vm:~$ lsattr `which ping`
-------------e-- /bin/ping

sacarde@sacarde-vm:~$ ls -l /usr/bin/beep
-rwsr-xr-x 1 root audio 9632 giu 11 2012 /usr/bin/beep

sacarde@sacarde-vm:~$ ls -l `which ping`
-rwxr-xr-x 1 root root 38932 mar 15 2014 /bin/ping

-----------------------------------------------------------------

sles12 (libcap-progs)

sacarde@linux:~> sudo getcap `which ping`
/usr/bin/ping = cap_net_raw+p

sacarde@linux:~> sudo getcap `which beep`
/usr/bin/beep = cap_dac_override,cap_sys_tty_config+ep

sacarde@linux:~> lsattr `which beep`
-------------e-- /usr/bin/beep
sacarde@linux:~> lsattr `which ping`
-------------e-- /usr/bin/ping

sacarde@linux:~> ls -l /usr/bin/beep
-rwxr-xr-x 1 root root 11576 ago 16 2014 /usr/bin/beep

sacarde@linux:~> ls -l /bin/ping
lrwxrwxrwx 1 root root 13 mag 30 10:10 /bin/ping -> /usr/bin/ping

---------------------------------------------------------------

fedora 20 (libcap)

[sacarde@localhost ~]$ sudo getcap `which ping`
/usr/bin/ping = cap_net_admin,cap_net_raw+ep

[sacarde@localhost ~]$ sudo getcap `which beep`

[sacarde@localhost ~]$ lsattr `which ping`
-------------e-- /usr/bin/ping

[sacarde@localhost ~]$ lsattr `which beep`
-------------e-- /usr/bin/beep

[sacarde@loxalhost ~]$ ls -l `which ping`
-rwxr-xr-x. 1 root root 48864 4 ago 2013 /usr/bin/ping

[sacarde@localhost ~]$ ls -l `which beep`
-rwxr-xr-x. 1 root root 10752 20 nov 2013 /usr/bin/beep

----------------------------------------------------------------

link utili:
/usr/src/linux/include/linux/capability.h
man capabilities
hallyn-reprint-capabilities.pdf
http://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid
https://guiodic.wordpress.com/2011/05/18/sicurezza-e-gnulinux-6-setuid-e-le-capabilities
https://wiki.gentoo.org/wiki/Hardened/Overview_of_POSIX_capabilities


Articolo tratto da: #341724 Linux - http://sacarde.altervista.org/
URL di riferimento: http://sacarde.altervista.org/index.php?mod=read&id=1435483438