Thursday, August 14, 2014

Linux capabilities are here

My thanks to Craig Small for making me aware of how simple Linux capabilities are.  I remember hearing about them from time to time, but they usually got mingled with SELinux in my mind, and I assumed they were just as complicated and troublesome.  Little did I know...
 $ ls -l /bin/ping
-rwxr-xr-x 1 root root 44104 Jun 18 17:37 /bin/ping
Look Ma, no SUID!  I've been using them all this time.  :)

One thing escaped me, though: are capabilities set up at boot time (like sysctl), or are they stored on the filesystem, like the old SUID?  Turns out they are indeed stored, as attributes:
$ lsattr /bin/ping
-------------e-- /bin/ping
Erm, I mean, extended attributes:
 $ getfattr /bin/ping
Oops, getfattr(1) only displays user attributes by default.  My bad:
$ getfattr -m '-' /bin/ping
# file: bin/ping
security.capability
Oops, getfattr only displays the list of attribute names by default.  My bad:
$ getfattr -d -m '-' /bin/ping
# file: bin/ping
security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA=
Huh.  This kinda looks like base64, doesn't it?  Ah, the manpage doesn't really say which encoding is chosen by default.  Let's give this another try:
$ getfattr -d -e hex -m '-' /bin/ping
# file: bin/ping
security.capability=0x0100000200200000000000000000000000000000
There we go.

No comments: