Bug 839993

Summary: captest --drop-caps output changed in RHEL7
Product: Red Hat Enterprise Linux 7 Reporter: Miroslav Vadkerti <mvadkert>
Component: libcap-ngAssignee: Steve Grubb <sgrubb>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: ajia, ksrot, sgrubb
Target Milestone: betaKeywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-13 08:48:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miroslav Vadkerti 2012-07-13 11:58:07 UTC 
Description of problem:
RHEL6 output:
Attemping to regain root...SUCCESS - PRIVILEGE ESCALATION POSSIBLE
Child User  credentials uid:0 euid:0 suid:0
Child Group credentials gid:0 egid:0 sgid:0
Child capabilities:
Effective:    00000003, FFFFFFFF
Permitted:    00000003, FFFFFFFF
Inheritable:  00000000, 00000000
Bounding Set: 00000003, FFFFFFFF
Child securebits flags: none
Attempting direct access to shadow...SUCCESS
User  credentials uid:0 euid:0 suid:0
Group credentials gid:0 egid:0 sgid:0
Current capabilities: none
securebits flags: none
Attempting direct access to shadow...FAILED (Permission denied)
Attempting to access shadow by child process...SUCCESS

RHEL7 output:
User  credentials uid:0 euid:0 suid:0
Group credentials gid:0 egid:0 sgid:0
Current capabilities: none
securebits flags: none
Attempting direct access to shadow...FAILED (Permission denied)
Attempting to access shadow by child process...SUCCESS
Attempting to regain root...SUCCESS - PRIVILEGE ESCALATION POSSIBLE
Child User  credentials uid:0 euid:0 suid:0
Child Group credentials gid:0 egid:0 sgid:0
Child capabilities:
Effective:    0000000F, FFFFFFFF
Permitted:    0000000F, FFFFFFFF
Inheritable:  00000000, 00000000
Bounding Set: 0000000F, FFFFFFFF
Child securebits flags: none
Attempting direct access to shadow...SUCCESS

Version-Release number of selected component (if applicable):
libcap-ng-0.6.6-2.el7

How reproducible:
100%

Steps to Reproduce:
1. captest --drop-caps
  
Actual results:
Resutls differ

Expected results:
Results the same as in RHEL6

Additional info:
If this problem is expected, please let me know and I fix the test
Comment 1 Steve Grubb 2012-07-13 13:06:03 UTC 
Unless I missed something, the only difference I see is that there are more capabilities in RHEL7 than RHEL6. This is like the explanation in bz 839995. I think this can be closed.
Comment 2 Karel Srot 2015-08-12 14:24:59 UTC 
Hello Steve, 
I am sorry for reopening but I don't think that the difference makes newly introduced capabilities.

RHEL-6:

# uname -a
Linux palava.usersys.redhat.com 2.6.32-573.1.1.el6.x86_64 #1 SMP Tue Jul 14 02:46:51 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
# rpm -q libcap-ng
libcap-ng-0.6.4-3.el6_0.1.x86_64

# capsh --print
Current: =ep
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin
Securebits: 00/0x0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0


# captest --drop-caps
User  credentials uid:0 euid:0 suid:0
Group credentials gid:0 egid:0 sgid:0
Current capabilities: none
securebits flags: none
Attempting direct access to shadow...FAILED (Permission denied)
Attempting to access shadow by child process...SUCCESS
Attemping to regain root...SUCCESS - PRIVILEGE ESCALATION POSSIBLE
Child User  credentials uid:0 euid:0 suid:0
Child Group credentials gid:0 egid:0 sgid:0
Child capabilities:
Effective:    00000003, FFFFFFFF
Permitted:    00000003, FFFFFFFF
Inheritable:  00000000, 00000000
Bounding Set: 00000003, FFFFFFFF
Child securebits flags: none
Attempting direct access to shadow...SUCCESS

# capsh --decode=00000003
0x0000000000000003=cap_chown,cap_dac_override


RHEL-7:

# uname -a
Linux qeos-10.lab.eng.rdu2.redhat.com 3.10.0-302.el7.x86_64 #1 SMP Fri Jul 31 18:34:51 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
# rpm -q libcap-ng
libcap-ng-0.7.5-2.el7.x86_64

# captest --drop-caps
User  credentials uid:0 euid:0 suid:0
Group credentials gid:0 egid:0 sgid:0
Current capabilities: none
securebits flags: none
Attempting direct access to shadow...FAILED (Permission denied)
Attempting to access shadow by child process...SUCCESS
Attempting to regain root...SUCCESS - PRIVILEGE ESCALATION POSSIBLE
Child User  credentials uid:0 euid:0 suid:0
Child Group credentials gid:0 egid:0 sgid:0
Child capabilities:
Effective:    0000001F, FFFFFFFF
Permitted:    0000001F, FFFFFFFF
Inheritable:  00000000, 00000000
Bounding Set: 0000001F, FFFFFFFF
Child securebits flags: none
Attempting direct access to shadow...SUCCESS

# capsh --decode=0000001F
0x000000000000001f=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid

So the difference in capabilities that WERE NOT dropped on RHEL-7 is: cap_dac_read_search,cap_fowner,cap_fsetid
As can be seen in the RHEL-6 output all 3 capabilities are known on RHEL-6.

Same issue is with --text and --lock.
Comment 4 Steve Grubb 2015-08-12 15:20:56 UTC 
Note that the ones on the left are higher order bits than just 0x1F. They are capabilities 32 - 37. You can use the --text option to captest to get translated output instead of numbers.
Comment 5 Karel Srot 2015-08-13 08:48:30 UTC 
I see, sorry for my mistake.