Does a process that have the root user always have all of the capabilities available in Linux?
In Linux, a process that have a non-root user can have some capabilities assigned to it to increase its privileges.
And a process that have the root user have all of the capabilities available, but can such a process have some of its capabilities removed (either manually or automatically in certain situations)?
linux capabilities
asked 1 hour ago
JohnJohn
1174
add a comment |
In Linux, a process that have a non-root user can have some capabilities assigned to it to increase its privileges.
And a process that have the root user have all of the capabilities available, but can such a process have some of its capabilities removed (either manually or automatically in certain situations)?
linux capabilities
asked 1 hour ago
JohnJohn
1174
add a comment |
In Linux, a process that have a non-root user can have some capabilities assigned to it to increase its privileges.
And a process that have the root user have all of the capabilities available, but can such a process have some of its capabilities removed (either manually or automatically in certain situations)?
linux capabilities
asked 1 hour ago
JohnJohn
1174
In Linux, a process that have a non-root user can have some capabilities assigned to it to increase its privileges.
And a process that have the root user have all of the capabilities available, but can such a process have some of its capabilities removed (either manually or automatically in certain situations)?
linux capabilities
linux capabilities
asked 1 hour ago
JohnJohn
1174
asked 1 hour ago
JohnJohn
1174
asked 1 hour ago
JohnJohn
1174
asked 1 hour ago
JohnJohn
1174
asked 1 hour ago
JohnJohn
1174
1174
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
Yes, the idea of capabilities is that the user id itself doesn't give any special abilities. An UID 0 process can also drop unneeded capabilities. It would still retain access to files owned by UID 0 (e.g. /etc/shadow or /etc/ssh/sshd_config), so switching to another UID would still likely be a smart thing to do in addition.
We can test this with capsh, it allows us to drop capabilities as requested. Here, the last part is run as a shell script, and we can see that the chown fails since the ability to change file owners (CAP_CHOWN) was dropped:
# capsh --drop=cap_chown -- -c 'id; touch foo; chown nobody foo'
uid=0(root) gid=0(root) groups=0(root)
chown: changing ownership of 'foo': Operation not permitted
The capabilities(7) man page mentions that the system has some safeguards in place for setuid binaries that don't know about capabilities and might not deal well with a situation where some are permanently removed. See under "Safety checking for capability-dumb binaries".
The same man page of course contains other useful information on capabilities, too.
answered 42 mins ago
ilkkachuilkkachu
59.3k892167
add a comment |
Programmatically adjusting capability sets
A thread can retrieve and change its capability sets using the
capget(2) and capset(2) system calls. However, the use of
cap_get_proc(3) and cap_set_proc(3), both provided in the libcap
package, is preferred for this purpose. The following rules govern
changes to the thread capability sets:
...
- The new permitted set must be a subset of the existing permitted
set (i.e., it is not possible to acquire permitted capabilities
that the thread does not currently have).
- The new effective set must be a subset of the new permitted set.
-- capabilities(7)
answered 46 mins ago
sourcejedisourcejedi
24.3k440107
add a comment |
There are a few things you can do.
root_squash
One caveat I can think of is that NFS shares can be made available with the root_squash flag.
In this way, a network share can be mounted but a root user on the client is not given root access to files hosted on the server that makes the NFS available. In this you can make files accessible to another host and even if a user on that host has root on their box, your content is still safe.
This is useful in Enterprise environments for example if you want to allow your Network admins to have access to logs for their devices but don't want them to be able to make any changes. Even though they have root on their linux admin box, they can't alter the logs.
Here's my favorite guide if you want to read further: http://fullyautolinux.blogspot.com/2015/11/nfs-norootsquash-and-suid-basic-nfs.html
ssh
There are a couple of other things you can do. For example you can prevent root from being able to SSH to the device. This means that to become root, a user would need to access the device using a different account (e.g. an admin account you made), and then switch to the root user with a command like su.
A simple guide can be found here: https://mediatemple.net/community/products/dv/204643810/how-do-i-disable-ssh-login-for-the-root-user
RHEL7/CentOS7
Here is some doco from Redhat on how to limit the root account in enterprise environments:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-controlling_root_access
Update:
As discussed in other answers, you can also change the capabilities of the root account.
answered 54 mins ago
CrypteyaCrypteya
33917
I am not sure why this answer was downvoted. Root can be limited or restricted by selinux and apparmor. Wayland also limits root access to a users graphical desktop.
– Panther
10 mins ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f501725%2fdoes-a-process-that-have-the-root-user-always-have-all-of-the-capabilities-avail%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Yes, the idea of capabilities is that the user id itself doesn't give any special abilities. An UID 0 process can also drop unneeded capabilities. It would still retain access to files owned by UID 0 (e.g. /etc/shadow or /etc/ssh/sshd_config), so switching to another UID would still likely be a smart thing to do in addition.
We can test this with capsh, it allows us to drop capabilities as requested. Here, the last part is run as a shell script, and we can see that the chown fails since the ability to change file owners (CAP_CHOWN) was dropped:
# capsh --drop=cap_chown -- -c 'id; touch foo; chown nobody foo'
uid=0(root) gid=0(root) groups=0(root)
chown: changing ownership of 'foo': Operation not permitted
The capabilities(7) man page mentions that the system has some safeguards in place for setuid binaries that don't know about capabilities and might not deal well with a situation where some are permanently removed. See under "Safety checking for capability-dumb binaries".
The same man page of course contains other useful information on capabilities, too.
answered 42 mins ago
ilkkachuilkkachu
59.3k892167
add a comment |
Yes, the idea of capabilities is that the user id itself doesn't give any special abilities. An UID 0 process can also drop unneeded capabilities. It would still retain access to files owned by UID 0 (e.g. /etc/shadow or /etc/ssh/sshd_config), so switching to another UID would still likely be a smart thing to do in addition.
We can test this with capsh, it allows us to drop capabilities as requested. Here, the last part is run as a shell script, and we can see that the chown fails since the ability to change file owners (CAP_CHOWN) was dropped:
# capsh --drop=cap_chown -- -c 'id; touch foo; chown nobody foo'
uid=0(root) gid=0(root) groups=0(root)
chown: changing ownership of 'foo': Operation not permitted
The capabilities(7) man page mentions that the system has some safeguards in place for setuid binaries that don't know about capabilities and might not deal well with a situation where some are permanently removed. See under "Safety checking for capability-dumb binaries".
The same man page of course contains other useful information on capabilities, too.
answered 42 mins ago
ilkkachuilkkachu
59.3k892167
add a comment |
Yes, the idea of capabilities is that the user id itself doesn't give any special abilities. An UID 0 process can also drop unneeded capabilities. It would still retain access to files owned by UID 0 (e.g. /etc/shadow or /etc/ssh/sshd_config), so switching to another UID would still likely be a smart thing to do in addition.
We can test this with capsh, it allows us to drop capabilities as requested. Here, the last part is run as a shell script, and we can see that the chown fails since the ability to change file owners (CAP_CHOWN) was dropped:
# capsh --drop=cap_chown -- -c 'id; touch foo; chown nobody foo'
uid=0(root) gid=0(root) groups=0(root)
chown: changing ownership of 'foo': Operation not permitted
The capabilities(7) man page mentions that the system has some safeguards in place for setuid binaries that don't know about capabilities and might not deal well with a situation where some are permanently removed. See under "Safety checking for capability-dumb binaries".
The same man page of course contains other useful information on capabilities, too.
answered 42 mins ago
ilkkachuilkkachu
59.3k892167
Yes, the idea of capabilities is that the user id itself doesn't give any special abilities. An UID 0 process can also drop unneeded capabilities. It would still retain access to files owned by UID 0 (e.g. /etc/shadow or /etc/ssh/sshd_config), so switching to another UID would still likely be a smart thing to do in addition.
We can test this with capsh, it allows us to drop capabilities as requested. Here, the last part is run as a shell script, and we can see that the chown fails since the ability to change file owners (CAP_CHOWN) was dropped:
# capsh --drop=cap_chown -- -c 'id; touch foo; chown nobody foo'
uid=0(root) gid=0(root) groups=0(root)
chown: changing ownership of 'foo': Operation not permitted
The capabilities(7) man page mentions that the system has some safeguards in place for setuid binaries that don't know about capabilities and might not deal well with a situation where some are permanently removed. See under "Safety checking for capability-dumb binaries".
The same man page of course contains other useful information on capabilities, too.
answered 42 mins ago
ilkkachuilkkachu
59.3k892167
answered 42 mins ago
ilkkachuilkkachu
59.3k892167
answered 42 mins ago
ilkkachuilkkachu
59.3k892167
answered 42 mins ago
ilkkachuilkkachu
59.3k892167
59.3k892167
add a comment |
add a comment |
Programmatically adjusting capability sets
A thread can retrieve and change its capability sets using the
capget(2) and capset(2) system calls. However, the use of
cap_get_proc(3) and cap_set_proc(3), both provided in the libcap
package, is preferred for this purpose. The following rules govern
changes to the thread capability sets:
...
- The new permitted set must be a subset of the existing permitted
set (i.e., it is not possible to acquire permitted capabilities
that the thread does not currently have).
- The new effective set must be a subset of the new permitted set.
-- capabilities(7)
answered 46 mins ago
sourcejedisourcejedi
24.3k440107
add a comment |
Programmatically adjusting capability sets
A thread can retrieve and change its capability sets using the
capget(2) and capset(2) system calls. However, the use of
cap_get_proc(3) and cap_set_proc(3), both provided in the libcap
package, is preferred for this purpose. The following rules govern
changes to the thread capability sets:
...
- The new permitted set must be a subset of the existing permitted
set (i.e., it is not possible to acquire permitted capabilities
that the thread does not currently have).
- The new effective set must be a subset of the new permitted set.
-- capabilities(7)
answered 46 mins ago
sourcejedisourcejedi
24.3k440107
add a comment |
Programmatically adjusting capability sets
A thread can retrieve and change its capability sets using the
capget(2) and capset(2) system calls. However, the use of
cap_get_proc(3) and cap_set_proc(3), both provided in the libcap
package, is preferred for this purpose. The following rules govern
changes to the thread capability sets:
...
- The new permitted set must be a subset of the existing permitted
set (i.e., it is not possible to acquire permitted capabilities
that the thread does not currently have).
- The new effective set must be a subset of the new permitted set.
-- capabilities(7)
answered 46 mins ago
sourcejedisourcejedi
24.3k440107
Programmatically adjusting capability sets
A thread can retrieve and change its capability sets using the
capget(2) and capset(2) system calls. However, the use of
cap_get_proc(3) and cap_set_proc(3), both provided in the libcap
package, is preferred for this purpose. The following rules govern
changes to the thread capability sets:
...
- The new permitted set must be a subset of the existing permitted
set (i.e., it is not possible to acquire permitted capabilities
that the thread does not currently have).
- The new effective set must be a subset of the new permitted set.
-- capabilities(7)
answered 46 mins ago
sourcejedisourcejedi
24.3k440107
answered 46 mins ago
sourcejedisourcejedi
24.3k440107
answered 46 mins ago
sourcejedisourcejedi
24.3k440107
answered 46 mins ago
sourcejedisourcejedi
24.3k440107
24.3k440107
add a comment |
add a comment |
There are a few things you can do.
root_squash
One caveat I can think of is that NFS shares can be made available with the root_squash flag.
In this way, a network share can be mounted but a root user on the client is not given root access to files hosted on the server that makes the NFS available. In this you can make files accessible to another host and even if a user on that host has root on their box, your content is still safe.
This is useful in Enterprise environments for example if you want to allow your Network admins to have access to logs for their devices but don't want them to be able to make any changes. Even though they have root on their linux admin box, they can't alter the logs.
Here's my favorite guide if you want to read further: http://fullyautolinux.blogspot.com/2015/11/nfs-norootsquash-and-suid-basic-nfs.html
ssh
There are a couple of other things you can do. For example you can prevent root from being able to SSH to the device. This means that to become root, a user would need to access the device using a different account (e.g. an admin account you made), and then switch to the root user with a command like su.
A simple guide can be found here: https://mediatemple.net/community/products/dv/204643810/how-do-i-disable-ssh-login-for-the-root-user
RHEL7/CentOS7
Here is some doco from Redhat on how to limit the root account in enterprise environments:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-controlling_root_access
Update:
As discussed in other answers, you can also change the capabilities of the root account.
answered 54 mins ago
CrypteyaCrypteya
33917
I am not sure why this answer was downvoted. Root can be limited or restricted by selinux and apparmor. Wayland also limits root access to a users graphical desktop.
– Panther
10 mins ago
add a comment |
There are a few things you can do.
root_squash
One caveat I can think of is that NFS shares can be made available with the root_squash flag.
In this way, a network share can be mounted but a root user on the client is not given root access to files hosted on the server that makes the NFS available. In this you can make files accessible to another host and even if a user on that host has root on their box, your content is still safe.
This is useful in Enterprise environments for example if you want to allow your Network admins to have access to logs for their devices but don't want them to be able to make any changes. Even though they have root on their linux admin box, they can't alter the logs.
Here's my favorite guide if you want to read further: http://fullyautolinux.blogspot.com/2015/11/nfs-norootsquash-and-suid-basic-nfs.html
ssh
There are a couple of other things you can do. For example you can prevent root from being able to SSH to the device. This means that to become root, a user would need to access the device using a different account (e.g. an admin account you made), and then switch to the root user with a command like su.
A simple guide can be found here: https://mediatemple.net/community/products/dv/204643810/how-do-i-disable-ssh-login-for-the-root-user
RHEL7/CentOS7
Here is some doco from Redhat on how to limit the root account in enterprise environments:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-controlling_root_access
Update:
As discussed in other answers, you can also change the capabilities of the root account.
answered 54 mins ago
CrypteyaCrypteya
33917
I am not sure why this answer was downvoted. Root can be limited or restricted by selinux and apparmor. Wayland also limits root access to a users graphical desktop.
– Panther
10 mins ago
add a comment |
There are a few things you can do.
root_squash
One caveat I can think of is that NFS shares can be made available with the root_squash flag.
In this way, a network share can be mounted but a root user on the client is not given root access to files hosted on the server that makes the NFS available. In this you can make files accessible to another host and even if a user on that host has root on their box, your content is still safe.
This is useful in Enterprise environments for example if you want to allow your Network admins to have access to logs for their devices but don't want them to be able to make any changes. Even though they have root on their linux admin box, they can't alter the logs.
Here's my favorite guide if you want to read further: http://fullyautolinux.blogspot.com/2015/11/nfs-norootsquash-and-suid-basic-nfs.html
ssh
There are a couple of other things you can do. For example you can prevent root from being able to SSH to the device. This means that to become root, a user would need to access the device using a different account (e.g. an admin account you made), and then switch to the root user with a command like su.
A simple guide can be found here: https://mediatemple.net/community/products/dv/204643810/how-do-i-disable-ssh-login-for-the-root-user
RHEL7/CentOS7
Here is some doco from Redhat on how to limit the root account in enterprise environments:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-controlling_root_access
Update:
As discussed in other answers, you can also change the capabilities of the root account.
answered 54 mins ago
CrypteyaCrypteya
33917
There are a few things you can do.
root_squash
One caveat I can think of is that NFS shares can be made available with the root_squash flag.
In this way, a network share can be mounted but a root user on the client is not given root access to files hosted on the server that makes the NFS available. In this you can make files accessible to another host and even if a user on that host has root on their box, your content is still safe.
This is useful in Enterprise environments for example if you want to allow your Network admins to have access to logs for their devices but don't want them to be able to make any changes. Even though they have root on their linux admin box, they can't alter the logs.
Here's my favorite guide if you want to read further: http://fullyautolinux.blogspot.com/2015/11/nfs-norootsquash-and-suid-basic-nfs.html
ssh
There are a couple of other things you can do. For example you can prevent root from being able to SSH to the device. This means that to become root, a user would need to access the device using a different account (e.g. an admin account you made), and then switch to the root user with a command like su.
A simple guide can be found here: https://mediatemple.net/community/products/dv/204643810/how-do-i-disable-ssh-login-for-the-root-user
RHEL7/CentOS7
Here is some doco from Redhat on how to limit the root account in enterprise environments:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-controlling_root_access
Update:
As discussed in other answers, you can also change the capabilities of the root account.
answered 54 mins ago
CrypteyaCrypteya
33917
edited 34 mins ago
answered 54 mins ago
CrypteyaCrypteya
33917
answered 54 mins ago
CrypteyaCrypteya
33917
answered 54 mins ago
CrypteyaCrypteya
33917
33917
I am not sure why this answer was downvoted. Root can be limited or restricted by selinux and apparmor. Wayland also limits root access to a users graphical desktop.
– Panther
10 mins ago
add a comment |
I am not sure why this answer was downvoted. Root can be limited or restricted by selinux and apparmor. Wayland also limits root access to a users graphical desktop.
– Panther
10 mins ago
I am not sure why this answer was downvoted. Root can be limited or restricted by selinux and apparmor. Wayland also limits root access to a users graphical desktop.
– Panther
10 mins ago
I am not sure why this answer was downvoted. Root can be limited or restricted by selinux and apparmor. Wayland also limits root access to a users graphical desktop.
– Panther
10 mins ago
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f501725%2fdoes-a-process-that-have-the-root-user-always-have-all-of-the-capabilities-avail%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
