As you may know, Linux has capabilities. Maybe you don’t need all capabilities, if this is your case, you are in luck, since you can remove it using the lcap tool.
To list all Linux capabilities:
Usual way:
# touch filename
# chown vishal filename
Now the file is owned by vishal
My preferred way:
First, we remove CHOWN capability
(as root)
# lcap CAP_CHOWN
# touch filename
# chown vishal filename
chown: changing ownership of `filename’: Operation not permitted
As you can see, chown does not work as expected, since we have removed that capability. To restore it, you need to reboot.
You can disable any capability at your own risk ;)
This tool is interesting with a few changes/updates and you are up with increase security, for example, to remove the possibility to load/unload a module use CAP_SYS_MODULE, it helps a bit for rootkits, for files that you don’t want to be modified in anyway, you can use CAP_LINUX_IMMUTABLE on /bin, /usr/bin, /sbin, /usr/sbin to have expected binaries (checksums). Try to play with any capabilitiy and see if is interesting for you.
For further info: man lcap
or click here
To list all Linux capabilities:
~# lcap
Current capabilities: 0xFFFDFCFF
0) *CAP_CHOWN 1) *CAP_DAC_OVERRIDE
2) *CAP_DAC_READ_SEARCH 3) *CAP_FOWNER
4) *CAP_FSETID 5) *CAP_KILL
6) *CAP_SETGID 7) *CAP_SETUID
8) *CAP_SETPCAP 9) *CAP_LINUX_IMMUTABLE
10) *CAP_NET_BIND_SERVICE 11) *CAP_NET_BROADCAST
12) *CAP_NET_ADMIN 13) *CAP_NET_RAW
14) *CAP_IPC_LOCK 15) *CAP_IPC_OWNER
16) *CAP_SYS_MODULE 17) CAP_SYS_RAWIO
18) *CAP_SYS_CHROOT 19) *CAP_SYS_PTRACE
20) *CAP_SYS_PACCT 21) *CAP_SYS_ADMIN
22) *CAP_SYS_BOOT 23) *CAP_SYS_NICE
24) *CAP_SYS_RESOURCE 25) *CAP_SYS_TIME
26) *CAP_SYS_TTY_CONFIG 27) *CAP_MKNOD
28) *CAP_LEASE 29) *CAP_AUDIT_WRITE
30) *CAP_AUDIT_CONTROL
* = Capabilities currently allowed
For example, I want to disable CAP_CHOWN, so I don’t want that any user (including root) has the possibility to change the file owner. So, in this case, the file is UNCHOWNABLE.
Usual way:
# touch filename
# chown vishal filename
Now the file is owned by vishal
My preferred way:
First, we remove CHOWN capability
(as root)
# lcap CAP_CHOWN
# touch filename
# chown vishal filename
chown: changing ownership of `filename’: Operation not permitted
As you can see, chown does not work as expected, since we have removed that capability. To restore it, you need to reboot.
You can disable any capability at your own risk ;)
This tool is interesting with a few changes/updates and you are up with increase security, for example, to remove the possibility to load/unload a module use CAP_SYS_MODULE, it helps a bit for rootkits, for files that you don’t want to be modified in anyway, you can use CAP_LINUX_IMMUTABLE on /bin, /usr/bin, /sbin, /usr/sbin to have expected binaries (checksums). Try to play with any capabilitiy and see if is interesting for you.
For further info: man lcap
or click here
No comments:
Post a Comment