问题
I am in a difficult situation where I don't know what linux capabilities a process requires to work. What is the best way, or any way to find out what cap is required?
The only thing I can think of right now is using capsh and drop all caps on a process. The process then fails and I start to add caps (by removing --drop=CAP_XZY) until it works.
Any better suggestions?
回答1:
Another method, that I've come across a while ago in this blog post by Brendan Gregg is to use capabilities tracer - capable.
Below is a sample output:
$ sudo /usr/share/bcc/tools/capable
TIME UID PID COMM CAP NAME AUDIT
11:31:54 0 2467 capable 21 CAP_SYS_ADMIN 1
11:31:54 0 2467 capable 21 CAP_SYS_ADMIN 1
11:31:59 1000 2468 ls 1 CAP_DAC_OVERRIDE 1
11:31:59 1000 2468 ls 2 CAP_DAC_READ_SEARCH 1
11:32:02 0 1421 timesync 25 CAP_SYS_TIME 1
11:32:05 1000 2469 sudo 7 CAP_SETUID 1
11:32:05 0 2469 sudo 6 CAP_SETGID 1
It has a significant advantage of recording capability checks made by kernel for a given process. This allows to profile the application against the capabilities that it actually requires, e.g. to narrow down the privileges and execute it as an unprivileged user.
While pscap allows to list the effective capabilities of all running processes, it does not offer a reliable method of checking which capabilities are in fact required by the process, because:
- A process may have capability X in its permitted set and only raise it to the effective set for a short time to perform a privileged operation.
- A process could have started with broader set of capabilities, do the initialization requiring elevated privileges, and drop some (or all) capabilities (e.g. ping opening a raw socket).
- It works only for processes that are already running in capabilities-based manner. What if you had to determine the minimal capability set required for your newly developed application?
- It does not allow to correlate privilege checks made for application with the operations it performs, with capable you get timestamps for ever single check.
The sources for capable are available on github. Installation instructions for BCC (including capable) are available here. For further description please refer to the blog post mentioned at the beginning, please also note that capable requires kernel 4.4+, an alternative for older kernels is available in the blog post as well.
Note: I'm not the author, nor am I affiliated with the tool developers in any way. I just wanted to bring it to wider audience, since I have personally used it to develop a capabilities profile for a complex monitoring application that previously required full root privileges to run, and found this tracer to be of tremendous help.
回答2:
Turns out it is easier than expected. Install libcap-ng (https://people.redhat.com/sgrubb/libcap-ng/) and use pscap.
In Ubuntu 16.04, it can be installed with:
sudo apt-get install libcap-ng-utils
Sample output excerpt:
ppid pid name command capabilities
1 468 root systemd-journal chown, dac_override, dac_read_search, fowner, setgid, setuid, sys_ptrace, sys_admin, audit_control, mac_override, syslog, audit_read
1 480 root lvmetad full
1 492 root systemd-udevd full
1 1040 root rpc.idmapd full
1 1062 root rpc.gssd full
1 1184 messagebus dbus-daemon audit_write +
1 1209 root NetworkManager dac_override, kill, setgid, setuid, net_bind_service, net_admin, net_raw, sys_module, sys_chroot, audit_write
来源:https://stackoverflow.com/questions/35469038/how-to-find-out-what-linux-capabilities-a-process-requires-to-work