Title: Linux kernel capabilities

KBTAG: kben10000151
URL: http://www.securityportal.com/lskb/10000150/kben10000151.html
Date created: 28/08/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Linux kernel capabilities
Keywords: Kernel

Summary:

The Linux kernel now has a number of capabilities that can be used to secure the machine.

More information:

http://home.netcom.com/~spoon/lcap/

You can for example disable the loading of modules, of course if the attacker gains root they can reset the capability to insert modules, insert a module and then disable the ability again. Unfortunately Linux kernel capabilities are not the answer to all your problems.

The following is a log of me disabling the kernel capabilities (all of them at once for some reason), trying to insert a module and it fails.

[root@server /root]# lcap 
Current capabilities: 0xFFFFFEFF
   0) *CAP_CHOWN                   1) *CAP_DAC_OVERRIDE         
   2) *CAP_DAC_READ_SEARCH         3) *CAP_FOWNER               
   4) *CAP_FSETID                  5) *CAP_KILL                 
   6) *CAP_SETGID                  7) *CAP_SETUID               
   8)  CAP_SETPCAP                 9) *CAP_LINUX_IMMUTABLE      
  10) *CAP_NET_BIND_SERVICE       11) *CAP_NET_BROADCAST        
  12) *CAP_NET_ADMIN              13) *CAP_NET_RAW              
  14) *CAP_IPC_LOCK               15) *CAP_IPC_OWNER            
  16) *CAP_SYS_MODULE             17) *CAP_SYS_RAWIO            
  18) *CAP_SYS_CHROOT             19) *CAP_SYS_PTRACE           
  20) *CAP_SYS_PACCT              21) *CAP_SYS_ADMIN            
  22) *CAP_SYS_BOOT               23) *CAP_SYS_NICE             
  24) *CAP_SYS_RESOURCE           25) *CAP_SYS_TIME             
  26) *CAP_SYS_TTY_CONFIG       
    * = Capabilities currently allowed
[root@server /root]# lsmod
Module                  Size  Used by
ip_masq_vdolive         1336   0  (unused)
ip_masq_user            2632   0  (unused)
ip_masq_raudio          3000   0 
ip_masq_quake           1352   0  (unused)
ip_masq_irc             1592   0 
ip_masq_ftp             2616   0 
ip_masq_cuseeme         1080   0  (unused)
via-rhine               9392   1  (autoclean)
ne                      6732   1  (autoclean)
8390                    6420   0  (autoclean) [ne]
[root@server /root]# rmmod ip_masq_cuseeme 
[root@server /root]# lcap 
Current capabilities: 0xFFFFFEFF
   0) *CAP_CHOWN                   1) *CAP_DAC_OVERRIDE         
   2) *CAP_DAC_READ_SEARCH         3) *CAP_FOWNER               
   4) *CAP_FSETID                  5) *CAP_KILL                 
   6) *CAP_SETGID                  7) *CAP_SETUID               
   8)  CAP_SETPCAP                 9) *CAP_LINUX_IMMUTABLE      
  10) *CAP_NET_BIND_SERVICE       11) *CAP_NET_BROADCAST        
  12) *CAP_NET_ADMIN              13) *CAP_NET_RAW              
  14) *CAP_IPC_LOCK               15) *CAP_IPC_OWNER            
  16) *CAP_SYS_MODULE             17) *CAP_SYS_RAWIO            
  18) *CAP_SYS_CHROOT             19) *CAP_SYS_PTRACE           
  20) *CAP_SYS_PACCT              21) *CAP_SYS_ADMIN            
  22) *CAP_SYS_BOOT               23) *CAP_SYS_NICE             
  24) *CAP_SYS_RESOURCE           25) *CAP_SYS_TIME             
  26) *CAP_SYS_TTY_CONFIG       
    * = Capabilities currently allowed
[root@server /root]# lcap CAP_SYS_MODULE
[root@server /root]# lcap 
Current capabilities: 0x00000000
   0)  CAP_CHOWN                   1)  CAP_DAC_OVERRIDE         
   2)  CAP_DAC_READ_SEARCH         3)  CAP_FOWNER               
   4)  CAP_FSETID                  5)  CAP_KILL                 
   6)  CAP_SETGID                  7)  CAP_SETUID               
   8)  CAP_SETPCAP                 9)  CAP_LINUX_IMMUTABLE      
  10)  CAP_NET_BIND_SERVICE       11)  CAP_NET_BROADCAST        
  12)  CAP_NET_ADMIN              13)  CAP_NET_RAW              
  14)  CAP_IPC_LOCK               15)  CAP_IPC_OWNER            
  16)  CAP_SYS_MODULE             17)  CAP_SYS_RAWIO            
  18)  CAP_SYS_CHROOT             19)  CAP_SYS_PTRACE           
  20)  CAP_SYS_PACCT              21)  CAP_SYS_ADMIN            
  22)  CAP_SYS_BOOT               23)  CAP_SYS_NICE             
  24)  CAP_SYS_RESOURCE           25)  CAP_SYS_TIME             
  26)  CAP_SYS_TTY_CONFIG       
    * = Capabilities currently allowed
[root@server /root]# lcap CAP_SYS_MODULE
[root@server /root]# lcap 
Current capabilities: 0x00000000
   0)  CAP_CHOWN                   1)  CAP_DAC_OVERRIDE         
   2)  CAP_DAC_READ_SEARCH         3)  CAP_FOWNER               
   4)  CAP_FSETID                  5)  CAP_KILL                 
   6)  CAP_SETGID                  7)  CAP_SETUID               
   8)  CAP_SETPCAP                 9)  CAP_LINUX_IMMUTABLE      
  10)  CAP_NET_BIND_SERVICE       11)  CAP_NET_BROADCAST        
  12)  CAP_NET_ADMIN              13)  CAP_NET_RAW              
  14)  CAP_IPC_LOCK               15)  CAP_IPC_OWNER            
  16)  CAP_SYS_MODULE             17)  CAP_SYS_RAWIO            
  18)  CAP_SYS_CHROOT             19)  CAP_SYS_PTRACE           
  20)  CAP_SYS_PACCT              21)  CAP_SYS_ADMIN            
  22)  CAP_SYS_BOOT               23)  CAP_SYS_NICE             
  24)  CAP_SYS_RESOURCE           25)  CAP_SYS_TIME             
  26)  CAP_SYS_TTY_CONFIG       
    * = Capabilities currently allowed
[root@server /root]# insmod /lib/modules/2.2.16/ipv4/ip_masq_cuseeme.o 
/lib/modules/2.2.16/ipv4/ip_masq_cuseeme.o: create_module: Operation not permitted
[root@server /root]#