KBTAG: kben10000151
URL: http://www.securityportal.com/lskb/10000150/kben10000151.html
Date created: 28/08/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Linux kernel capabilities
Keywords: Kernel
The Linux kernel now has a number of capabilities that can be used to secure the machine.
http://home.netcom.com/~spoon/lcap/
You can for example disable the loading of modules, of course if the attacker gains root they can reset the capability to insert modules, insert a module and then disable the ability again. Unfortunately Linux kernel capabilities are not the answer to all your problems.
The following is a log of me disabling the kernel capabilities (all of them at once for some reason), trying to insert a module and it fails.
[root@server /root]# lcap Current capabilities: 0xFFFFFEFF 0) *CAP_CHOWN 1) *CAP_DAC_OVERRIDE 2) *CAP_DAC_READ_SEARCH 3) *CAP_FOWNER 4) *CAP_FSETID 5) *CAP_KILL 6) *CAP_SETGID 7) *CAP_SETUID 8) CAP_SETPCAP 9) *CAP_LINUX_IMMUTABLE 10) *CAP_NET_BIND_SERVICE 11) *CAP_NET_BROADCAST 12) *CAP_NET_ADMIN 13) *CAP_NET_RAW 14) *CAP_IPC_LOCK 15) *CAP_IPC_OWNER 16) *CAP_SYS_MODULE 17) *CAP_SYS_RAWIO 18) *CAP_SYS_CHROOT 19) *CAP_SYS_PTRACE 20) *CAP_SYS_PACCT 21) *CAP_SYS_ADMIN 22) *CAP_SYS_BOOT 23) *CAP_SYS_NICE 24) *CAP_SYS_RESOURCE 25) *CAP_SYS_TIME 26) *CAP_SYS_TTY_CONFIG * = Capabilities currently allowed [root@server /root]# lsmod Module Size Used by ip_masq_vdolive 1336 0 (unused) ip_masq_user 2632 0 (unused) ip_masq_raudio 3000 0 ip_masq_quake 1352 0 (unused) ip_masq_irc 1592 0 ip_masq_ftp 2616 0 ip_masq_cuseeme 1080 0 (unused) via-rhine 9392 1 (autoclean) ne 6732 1 (autoclean) 8390 6420 0 (autoclean) [ne] [root@server /root]# rmmod ip_masq_cuseeme [root@server /root]# lcap Current capabilities: 0xFFFFFEFF 0) *CAP_CHOWN 1) *CAP_DAC_OVERRIDE 2) *CAP_DAC_READ_SEARCH 3) *CAP_FOWNER 4) *CAP_FSETID 5) *CAP_KILL 6) *CAP_SETGID 7) *CAP_SETUID 8) CAP_SETPCAP 9) *CAP_LINUX_IMMUTABLE 10) *CAP_NET_BIND_SERVICE 11) *CAP_NET_BROADCAST 12) *CAP_NET_ADMIN 13) *CAP_NET_RAW 14) *CAP_IPC_LOCK 15) *CAP_IPC_OWNER 16) *CAP_SYS_MODULE 17) *CAP_SYS_RAWIO 18) *CAP_SYS_CHROOT 19) *CAP_SYS_PTRACE 20) *CAP_SYS_PACCT 21) *CAP_SYS_ADMIN 22) *CAP_SYS_BOOT 23) *CAP_SYS_NICE 24) *CAP_SYS_RESOURCE 25) *CAP_SYS_TIME 26) *CAP_SYS_TTY_CONFIG * = Capabilities currently allowed [root@server /root]# lcap CAP_SYS_MODULE [root@server /root]# lcap Current capabilities: 0x00000000 0) CAP_CHOWN 1) CAP_DAC_OVERRIDE 2) CAP_DAC_READ_SEARCH 3) CAP_FOWNER 4) CAP_FSETID 5) CAP_KILL 6) CAP_SETGID 7) CAP_SETUID 8) CAP_SETPCAP 9) CAP_LINUX_IMMUTABLE 10) CAP_NET_BIND_SERVICE 11) CAP_NET_BROADCAST 12) CAP_NET_ADMIN 13) CAP_NET_RAW 14) CAP_IPC_LOCK 15) CAP_IPC_OWNER 16) CAP_SYS_MODULE 17) CAP_SYS_RAWIO 18) CAP_SYS_CHROOT 19) CAP_SYS_PTRACE 20) CAP_SYS_PACCT 21) CAP_SYS_ADMIN 22) CAP_SYS_BOOT 23) CAP_SYS_NICE 24) CAP_SYS_RESOURCE 25) CAP_SYS_TIME 26) CAP_SYS_TTY_CONFIG * = Capabilities currently allowed [root@server /root]# lcap CAP_SYS_MODULE [root@server /root]# lcap Current capabilities: 0x00000000 0) CAP_CHOWN 1) CAP_DAC_OVERRIDE 2) CAP_DAC_READ_SEARCH 3) CAP_FOWNER 4) CAP_FSETID 5) CAP_KILL 6) CAP_SETGID 7) CAP_SETUID 8) CAP_SETPCAP 9) CAP_LINUX_IMMUTABLE 10) CAP_NET_BIND_SERVICE 11) CAP_NET_BROADCAST 12) CAP_NET_ADMIN 13) CAP_NET_RAW 14) CAP_IPC_LOCK 15) CAP_IPC_OWNER 16) CAP_SYS_MODULE 17) CAP_SYS_RAWIO 18) CAP_SYS_CHROOT 19) CAP_SYS_PTRACE 20) CAP_SYS_PACCT 21) CAP_SYS_ADMIN 22) CAP_SYS_BOOT 23) CAP_SYS_NICE 24) CAP_SYS_RESOURCE 25) CAP_SYS_TIME 26) CAP_SYS_TTY_CONFIG * = Capabilities currently allowed [root@server /root]# insmod /lib/modules/2.2.16/ipv4/ip_masq_cuseeme.o /lib/modules/2.2.16/ipv4/ip_masq_cuseeme.o: create_module: Operation not permitted [root@server /root]#