Bug 839993
Summary: | captest --drop-caps output changed in RHEL7 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Miroslav Vadkerti <mvadkert> |
Component: | libcap-ng | Assignee: | Steve Grubb <sgrubb> |
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.0 | CC: | ajia, ksrot, sgrubb |
Target Milestone: | beta | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-08-13 08:48:30 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Miroslav Vadkerti
2012-07-13 11:58:07 UTC
Unless I missed something, the only difference I see is that there are more capabilities in RHEL7 than RHEL6. This is like the explanation in bz 839995. I think this can be closed. Hello Steve, I am sorry for reopening but I don't think that the difference makes newly introduced capabilities. RHEL-6: # uname -a Linux palava.usersys.redhat.com 2.6.32-573.1.1.el6.x86_64 #1 SMP Tue Jul 14 02:46:51 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux # rpm -q libcap-ng libcap-ng-0.6.4-3.el6_0.1.x86_64 # capsh --print Current: =ep Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin Securebits: 00/0x0 secure-noroot: no (unlocked) secure-no-suid-fixup: no (unlocked) secure-keep-caps: no (unlocked) uid=0 # captest --drop-caps User credentials uid:0 euid:0 suid:0 Group credentials gid:0 egid:0 sgid:0 Current capabilities: none securebits flags: none Attempting direct access to shadow...FAILED (Permission denied) Attempting to access shadow by child process...SUCCESS Attemping to regain root...SUCCESS - PRIVILEGE ESCALATION POSSIBLE Child User credentials uid:0 euid:0 suid:0 Child Group credentials gid:0 egid:0 sgid:0 Child capabilities: Effective: 00000003, FFFFFFFF Permitted: 00000003, FFFFFFFF Inheritable: 00000000, 00000000 Bounding Set: 00000003, FFFFFFFF Child securebits flags: none Attempting direct access to shadow...SUCCESS # capsh --decode=00000003 0x0000000000000003=cap_chown,cap_dac_override RHEL-7: # uname -a Linux qeos-10.lab.eng.rdu2.redhat.com 3.10.0-302.el7.x86_64 #1 SMP Fri Jul 31 18:34:51 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux # rpm -q libcap-ng libcap-ng-0.7.5-2.el7.x86_64 # captest --drop-caps User credentials uid:0 euid:0 suid:0 Group credentials gid:0 egid:0 sgid:0 Current capabilities: none securebits flags: none Attempting direct access to shadow...FAILED (Permission denied) Attempting to access shadow by child process...SUCCESS Attempting to regain root...SUCCESS - PRIVILEGE ESCALATION POSSIBLE Child User credentials uid:0 euid:0 suid:0 Child Group credentials gid:0 egid:0 sgid:0 Child capabilities: Effective: 0000001F, FFFFFFFF Permitted: 0000001F, FFFFFFFF Inheritable: 00000000, 00000000 Bounding Set: 0000001F, FFFFFFFF Child securebits flags: none Attempting direct access to shadow...SUCCESS # capsh --decode=0000001F 0x000000000000001f=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid So the difference in capabilities that WERE NOT dropped on RHEL-7 is: cap_dac_read_search,cap_fowner,cap_fsetid As can be seen in the RHEL-6 output all 3 capabilities are known on RHEL-6. Same issue is with --text and --lock. Note that the ones on the left are higher order bits than just 0x1F. They are capabilities 32 - 37. You can use the --text option to captest to get translated output instead of numbers. I see, sorry for my mistake. |